Docker Community Forums

Share and learn in the Docker community.

Users without access to labels can start containers from labeled images


(Alm. Brand Docker admins) #1

Reproduce:

Build an image from a Dockerfile with following content, tag it with whatever fits your DTR and push it.

FROM    busybox@sha256:97473e34e311e6c1b3f61f2a721d038d1e5eef17d98d1353a513007cf46ca6bd
LABEL   com.docker.ucp.access.label=admins-only

Log in as an admin, go to Images and pull the image. Verify that it shows in the list. Log out.

Log in as a non-admin user which is not member of any team granting any access to the ‘admins-only’ label, but with at least “restricted” access to another label, e.g. ‘ucp-viewers’.

Verify that the user cannot see the image in the Images list.

Go to Containers, click Deploy Container, paste in the image name, type ‘ucp-viewers’ in the access labels field and you’re able to deploy a container based on the image which you could not see in the list.