By default, users with read and write access to a repository can push the same tag
multiple times to that repository. For example, when user A pushes an image
to library/wordpress:latest
, there is no preventing user B from pushing
an image with the same name but a completely different functionality. This can
make it difficult to trace the image back to the build that generated it.
To prevent tags from being overwritten, you can configure a repository to be immutable. Once configured, MSR will not allow anyone else to push another image tag with the same name.
You can enable tag immutability on a repository when you create it, or at any time after.
If you’re not already logged in, navigate to https://<msr-url>
and
log in with your MKE credentials. To make tags immutable on a new
repository, do the following:
Select Repositories on the left navigation pane, and then click
on the name of the repository that you want to view. Note that you
will have to click on the repository name following the /
after
the specific namespace for your repository.
From now on, you will get an error message when trying to push a tag that already exists:
docker push dtr-example.com/library/wordpress:latest
unknown: tag=latest cannot be overwritten because
dtr-example.com/library/wordpress is an immutable repository