I want to be able to let the users push a docker file along with code to gitlab and let the gitlab build the image, that can then be pulled by authenticated user of the project.
The problem is , I want to make sure the users dont push docker images directly to gitlab container registry , so that we can review the docker-files and control , and make sure the Dockefiles are using the Redhat only registry to pull stuff from.
How can we prevent users from pushing thier own built image to gitlab?
In other words , how can we make sure that docker image in the container registry of gitlab project is the one built by gitlab from dockerfile and is not the one pushed by the project users direclty from somewhere else?
deploy tokens is probably the best way forward. You can grant these on a per-repository or a group basis and specify granular access such as, for your use case read_registry as well as an optional expiry date.
Another option is to use personal access tokens. These are set globally for a user and you can specify as many as you like (eg one for each client), set an expiry date, and restrict access to read_registry.
I don't think it's currently possible. If you check gitlab's permissions model, you'll see that the user access levels determine what you can do in the container registry:
read rights are available as Reporter+
update rights are available as Developer+
If your users are developers, then they will be able to push images to the registry. If you want to limit that to gitlab-ci builds, you'd need to use protected branches and limit your users to Reporter access level (probably not what you want).
An alternative a bit convoluted would be to setup a second project that is used as the source for images, and configure its build setup to pull from the first project protected branch. Commits to the protected branch in the first project would always have to be reviewed and docker images would be pulled from the second project.
Related
We (mostly) push docker images (containing maven builds) with semantic version tags to our Azure Container Registry (ACR), e.g. my-cool-app:1.0.0-SNAPSHOT. As in the maven-world suggested, a SNAPSHOT is a work in progress built, which may or may not gets overwritten any time ...
I am thinking of a dedicated ACR, which is used for production environment only. This ACR shall contain only released images, meaning no SNAPSHOT shall be contained in the image tag. I couldn't find any useful information if there is some sort tag naming policy, basically denying any kind of deploys containing SNAPSHOT, besides locking the images. Is there no way to define such rules on the ACR, or do we have to check that "programmatically" within the build/release pipeline?
There is not any document with naming policy before pushing the images to container registry but for workaround you can use of Content trust in Azure Container Registry
Azure Container Registry implements Docker's content trust model,
enabling pushing and pulling of signed images. This article gets you
started enabling content trust in your container registries.
As an image publisher, content trust allows you to sign the images you push to your registry. Consumers of your images (people or systems pulling images from your registry) can configure their clients to pull only signed images. When an image consumer pulls a signed image, their Docker client verifies the integrity of the image. In this model, consumers are assured that the signed images in your registry were indeed published by you, and that they've not been modified since being published.
This Content Trust will help to deny to push the images in Container registery as they might be not signed images to use as on production environment or in Azure Contaier Registry
For more information how to assign AcrImageSigner Role in the Container Registry You can refer this Mircosoft Document
Is it possible to use Gitlab's Dependency Proxy for a private project not in a group?
It seems wasteful to create a single group per project (as they may not be related) just to cache container images. Besides, what if the project needs to use images from multiple groups (without being associated with multiple groups)?
I am using a docker runner, and the docs describe a DOCKER AUTH_CONFIG variable, but:
Setting it in gitlab-ci.yaml would expose secrets in the repo
Setting it elsewhere means hard coding a username/password, which I'd rather avoid and use pre-existing variables such as CI_REGISTRY_USER and CI_JOB_TOKEN
I also thought about creating a Deploy Token in the group, but the docs also say those are only for projects within the group.
We have a hosted GitLab instance internally and a Nexus repository hosted internally (neither of which touches the open internet). The Nexus repository uses client certificates for authentication. We have a repository in GitLab that is accessed by many developers and we need a way to get the user's client certificate in the runner so we can access Nexus.
Is there a way to specify in the .gitlab-ci.yml a user-specific mount? Putting the user's certificate information in the repository's "variables" is not an option because we have many developers accessing the same project. We (as developers) also don't have access to the runners. I can, however, create a new container/image that the GitLab runner can execute. Any thoughts on how to get the CI pipeline to recognize the user's certificate in the pipeline would be greatly appreciated!
After reading the GitLab documentation and realizing how far behind we were in releases (a major version) I discovered that GitLab now integrates with Vault. This appears to work for exactly our use case.
https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/
I am currently using project based matrix for Jenkins global security management. I am planning to change that to Role based strategy I got the plugin installed but the thing is I don't want to lock out all the users for this update. is there a safe way to do it without having to lock out all the users while moving from project based to role based strategy. we are using AWS Ec2 instance for jenkins if that helps? Is there an option to clone the repo and do something.
Thank you.
I want to setup a private docker registry and need to be able to specify fine grained permissions on repository level e.g. I have repositories
foo
bar
baz
Developer A can see and pull from all three repositories but cannot push to any of them.
Developer B can push and pull to/from foo but cannot see any of the other repositories.
Developer C can push/pull from baz and pull from bar but cannot see foo.
As most of our services are in Azure I would prefer to use Azure Container Registry but it seems I can only assign permissions across the whole docker registry and not for individual repositories.
Is there a way to achieve what I want with Azure Container Registry and if not what are my alternatives (preferably open source)?
Just as you know, Azure Container Registry does not have the feature that you need, it just can control the access of all the repositories, not individual. So you cannot achieve your purpose in ACR.
Maybe you can try to create your own private docker registry in the VM, then you can follow the steps in Authentication and authorization in DTR. It seems you can control the access for the individual repository via the teams in docker registry. Hope it helps.