Limit Proxy Cache Images

[phin1x]

With the new version of Harbor it can now be used as a proxy cache. As administrator I would like to have the possibility to restrict the images that are pulled (whitelist). This would save us a lot of replication rules.

[xaleeks]

can you expand? how does this save a lot of replication rules? @phin1x

[phin1x]

If i create a proxy project (for example docker hub), all users with pull permission can pull all images from the proxied registry. if i want to limit the images, which can be pulled (for example only dockerhub library images should be allowed), i cannot use the proxy cache project type.
in our company, images from third party registries like dockerhub, quay, gcr, gitlab and so on are forbidden by default and images need a security check befor they are allowed to be used. To ensure that, we create a replication rule for every granted image (about 30 rules at the momement, ascending trend).
if we can limit the images, which can be pulled through a proxy cache project, this would save us a lot of replication rules,
especially if the whitelisting would be based on wildcard filters.

[rayisbadat]

I would just like to add my +1 to this feature request.
Currently i am syncing about 30+ repos from dockerhub. But if there was a Name like feature on the proxy cache as there is for the normal replications i could get rid most of those. Ex: Name: library/** or Name: library/{alpine,centos,ubuntu} . It would would allow me to proxy official docker hub images, and prevent random people's personal images.

[nnsense]

This feature would allow us to open the proxy to internet without worrying about people using our proxy to circumvent docker hub restrictions.

[github-actions]

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

[Danielkem]

I also believe that this feature would be of great value. A common setup would be to host a Harbor instance on a cluster and set policies to only allow pulling images from that Harbor instance for security reasons. However, it would be quite redundant in many cases to also replicate all images that are maintained by some known and trusted publisher. In this case I would like to define a proxy cache to a single Docker Hub publisher/user/project/repository while not opening up the ability to pull images from any public repository that is hosted at Docker Hub.

Is anyone looking at or working on implementing this kind of feature?

[pafra]

We would need this feature too!

[blackaichi]

This feature will be really useful!

[AYDEV-FR]

+1
I need this feature too.
And this feature can be add with it

#13242

[hri-op]

+1
We need also this feature.. otherwise we use replication to replicate only the images we want to be present in our local harbor registry.

[damon-xu01]

+1
We need this feature as well.

[gauthiersiri]

That would be amazing! +1

[caimez]

+1
Agreed!
Another idea to add here would be image scanning at time of proxy pull and potential refusal of the image if there are a certain number of low, medium, high vulnerabilities.

[atchadwick]

+1
Would love to see this feature, especially with the continued focus on security for images, being able to whitelist a proxy cache is a nice balance of accessibility for users without the need to keep a huge replication rule list or pre pull a bunch of unused images.

[lukeelten]

+1 Would love to see this feature, especially with the continued focus on security for images, being able to whitelist a proxy cache is a nice balance of accessibility for users without the need to keep a huge replication rule list or pre pull a bunch of unused images.

I agree with @atchadwick . This feature would greatly increase our security measures against malicious images.

[gira0]

+1

This would definitely be a helpful feature to ensure only trusted sources from docker hub would be available, right now. Every few weeks there's another article about the rise of malicious images on docker hub since it's the defacto default registry.

[paspflue]

+1

[tuxpeople]

I'de also desperately need this feature for a customer. With only a few projects in place yet, we already have a big mess of replication rules because of the company policies where security needs to allow which images to use. As proxy cache can't be filtered, we have to replicate each and every image, The problem is, that replication rules with stuff like library/{alpine,centos,ubuntu} do also not work, because without tag specification it would sync may to many images. So basically we end up with doing a replication job for every single allowd image with the tags we need. Would be much easier if there's a whitelist for proxy caches.