-
Notifications
You must be signed in to change notification settings - Fork 8.2k
hub: add namespace access control #23949
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
craig-osterhout
wants to merge
3
commits into
docker:main
Choose a base branch
from
craig-osterhout:engdocs-3141
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| --- | ||
| description: Learn about settings in Docker Hub | ||
| keywords: Docker Hub, Hub, repositories, settings | ||
| title: Settings | ||
| weight: 25 | ||
| --- | ||
|
|
||
| You can configure the following settings in Docker Hub: | ||
|
|
||
| - [Default privacy](#default-privacy): Settings for all repositories within each | ||
| namespace | ||
| - [Notifications](#notifications): Personal settings for autobuild notifications | ||
|
|
||
| ## Default privacy | ||
|
|
||
| You can configure the following default privacy settings for all repositories in | ||
| a namespace: | ||
|
|
||
| - [Disable creation of public repos](#disable-creation-of-public-repos): Prevent | ||
| organization users from creating public repositories (organization namespaces | ||
| only) | ||
| - [Configure default repository privacy](#configure-default-repository-privacy): | ||
| Set the default repository privacy for new repositories | ||
|
|
||
|
|
||
| ### Disable creation of public repos | ||
|
|
||
| {{< summary-bar feature_name="Disable public repositories" >}} | ||
|
|
||
| Organization owners and editors can prevent creating public repositories within | ||
| organization namespaces. You cannot configure this setting for personal account | ||
| namespaces. | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > Enabling this feature does not affect existing public repositories. Any public | ||
| > repositories that already exist will remain public. To make them private, you | ||
| > must change their visibility in the individual repository settings. | ||
|
|
||
| To configure the disable public repositories setting for an organization | ||
| namespace: | ||
|
|
||
| 1. Sign in to [Docker Hub](https://hub.docker.com). | ||
| 2. Select **My Hub**. | ||
| 3. Select your organization from the top-left account drop-down. | ||
| 4. Select **Settings** > **Default privacy**. | ||
| 5. Toggle **Disable public repositories** to your desired setting. | ||
| 6. Select **Save**. | ||
|
|
||
| ### Configure default repository privacy | ||
|
|
||
| The default repository privacy setting is useful if you or others in your | ||
| organization use the `docker push` command to push to a repository that doesn't | ||
| exist yet. In this case, Docker Hub automatically creates the repository with | ||
| the default repository privacy for that namespace. | ||
|
|
||
| > [!NOTE] | ||
| > | ||
| > You cannot configure the default repository privacy setting when **Disable | ||
| > public repositories** is enabled. | ||
|
|
||
| To configure the default repository privacy for a namespace: | ||
|
|
||
| 1. Sign in to [Docker Hub](https://hub.docker.com). | ||
| 2. Select **My Hub**. | ||
| 3. Select your organization or account from the top-left account drop-down. | ||
| 4. Select **Settings** > **Default privacy**. | ||
| 5. In **Default repository privacy**, select the desired default privacy setting: | ||
|
|
||
| - **Public**: All new repositories appear in Docker Hub search results and can be | ||
| pulled by everyone. | ||
| - **Private**: All new repositories don't appear in Docker Hub search results | ||
| and are only accessible to you and collaborators. In addition, if the | ||
| repository is created in an organization's namespace, then the repository | ||
| is accessible to those with applicable roles or permissions. | ||
|
|
||
| 6. Select **Save**. | ||
|
|
||
| ## Notifications | ||
|
|
||
| You can send notifications to your email for all your repositories using | ||
| autobuilds. | ||
|
|
||
| ### Configure autobuild notifications | ||
|
|
||
| 1. Sign in to [Docker Hub](https://hub.docker.com). | ||
| 2. Select **My Hub**. | ||
| 3. Select your personal account from the top-left account drop-down. | ||
| 4. Select **Settings** > **Notifications**. | ||
| 5. Select the notifications to receive by email: | ||
|
|
||
| - **Off**: No notifications. | ||
| - **Only failures**: Only notifications about failed builds. | ||
| - **Everything**: Notifications for successful and failed builds. | ||
|
|
||
| 6. Select **Save**. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
53 changes: 53 additions & 0 deletions
53
content/manuals/enterprise/security/hardened-desktop/namespace-access.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| --- | ||
| title: Namespace access control | ||
| linkTitle: Namespace access | ||
| description: Control whether organization members can push content to their personal namespaces on Docker Hub | ||
| keywords: namespace access, docker hub, personal namespace, organization security, docker business | ||
| tags: [admin] | ||
| weight: 50 | ||
| --- | ||
|
|
||
| {{< summary-bar feature_name="Namespace access" >}} | ||
|
|
||
| Namespace access control lets organization administrators control whether all | ||
| members of an organization can push content to their personal namespaces on | ||
| Docker Hub. This helps organizations prevent developers from accidentally | ||
| publishing images outside of approved, governed locations. | ||
|
|
||
| When namespace access control is enabled, affected users can still view and pull images | ||
| from their personal namespaces and continue accessing all existing repositories | ||
| and content. However, they will no longer be able to create new repositories or | ||
| push new images to their personal namespace. | ||
|
|
||
| > [!IMPORTANT] | ||
| > | ||
| > For users in multiple organizations, if namespace access control is enabled in | ||
| > any organization, that user cannot push to their personal namespace and cannot | ||
| > create new repositories in their personal namespace. | ||
|
|
||
| ### Configure namespace access control | ||
|
|
||
| To configure namespace access control: | ||
|
|
||
| 1. Sign in to [Docker Home](https://app.docker.com/) and select your | ||
| organization from the top-left account drop-down. | ||
| 2. Select **Admin Console**, then **Namespace access**. | ||
| 3. Use the toggle to enable or disable namespace access control. | ||
| 4. Select **Save changes**. | ||
|
|
||
| Once namespace access control is enabled, organization members can still view their | ||
| personal namespace and existing repositories but they will not be able to create | ||
| any new repositories or push any new images to existing repositories. | ||
|
|
||
| ### Verify access restrictions | ||
|
|
||
| After configuring namespace access control, test that restrictions work correctly. | ||
|
|
||
| After any attempt to push to an existing repository in your personal namespace, | ||
| you'll see an error message like the following: | ||
|
|
||
| ```console | ||
| $ docker push <personal-namespace>/<image>:<tag> | ||
| Unavailable | ||
| authentication required - namespace access restriction from an organization you belong to prevents pushing new content in your personal namespace. Restriction applied by: <organizations>. Please contact your organization administrator | ||
| ``` |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.