feat: add ban_tags_enabled/ban_tags to docker remotes to block named tags
Adds two per-remote config keys for docker remotes:
ban_tags_enabled: false # opt-in, default off
ban_tags:
- latest
- edge
When ban_tags_enabled is true and a manifest request arrives for a named
tag in ban_tags, the proxy returns 403. sha256-addressed pulls are never
blocked, so images already pulled can still be referenced by digest.
Blob requests are unaffected.
This commit is contained in:
@@ -41,6 +41,13 @@ TEST_REMOTES = {
|
||||
"immutable_patterns": ["^library/nginx"],
|
||||
"cache": {"immutable_ttl": 0, "mutable_ttl": 300},
|
||||
},
|
||||
"docker-bantags-test": {
|
||||
"base_url": "https://registry.example.com",
|
||||
"package": "docker",
|
||||
"ban_tags_enabled": True,
|
||||
"ban_tags": ["latest", "edge"],
|
||||
"cache": {"immutable_ttl": 0, "mutable_ttl": 300},
|
||||
},
|
||||
"generic-test": {
|
||||
"base_url": "https://releases.example.com",
|
||||
"package": "generic",
|
||||
|
||||
Reference in New Issue
Block a user