Image enforcement policies and monitoring

MSR users can automatically block clients from pulling images stored in the registry by configuring enforcement policies at either the global or repository level.

An enforcement policy is a collection of rules used to determine whether an image can be pulled.

A good example of a scenario in which an enforcement policy can be useful is when an administrator wants to house images in MSR but does not want those images to be pulled into environments by MSR users. In this case, the administrator would configure an enforcement policy either at the global or repository level based on a selected set of rules.

Enforcement policies: global versus repository

Global image enforcement policies differ from those set at the repository level in several important respects:

  • Whereas both administrators and regular users can set up enforcement policies at the repository level, only administrators can set up enforcement policies at the global level.

  • Only one global enforcement policy can be set for each MSR instance, whereas multiple enforcement policies can be configured at the repository level.

  • Global enforcement policies are evaluated prior to repository policies.

Enforcement policy rule attributes

Global and repository enforcement policies are generated from the same set of rule attributes.

Note

All rules must evaluate to true for an image to be pulled; if any rules evaluate to false, the image pull will be blocked.

Rule attributes

Name

Filters

Example

Tag name

  • equals

  • starts with

  • ends with

  • contains

  • one of

  • not one of

Tag name starts with dev

Component name

  • equals

  • starts with

  • ends with

  • contains

  • one of

  • not one of

Component name starts with b

All CVSS 3 vulnerabilities

  • greater than or equals

  • greater than

  • equals

  • not equals

  • less than or equals

  • less than

All CVSS 3 vulnerabilities less than 3

Critical CVSS 3 vulnerabilities

  • greater than or equals

  • greater than

  • equals

  • not equals

  • less than or equals

  • less than

Critical CVSS vulnerabilities less than 3

High CVSS 3 vulnerabilities

  • greater than or equals

  • greater than

  • equals

  • not equals

  • less than or equals

  • less than

High CVSS 3 vulnerabilities less than 3

Medium CVSS 3 vulnerabilities

  • greater than or equals

  • greater than

  • equals

  • not equals

  • less than or equals

  • less than

Medium CVSS 3 vulnerabilities less than 3

Low CVSS 3 vulnerabilities

  • greater than or equals

  • greater than

  • equals

  • not equals

  • less than or equals

  • less than

Low CVSS 3 vulnerabilities less than 3

License name

  • one of

  • not one of

License name one of msr

Last updated at

  • before

Last updated at before 12 hours

Configure enforcement policies

Use the MSR web UI to set up enforcement policies for both repository and global enforcement.

Set up repository enforcement

Important

Users can only create and edit enforcement policies for repositories within their user namespace.

To set up a repository enforcement policy using the MSR web UI:

  1. Log in to the MSR web UI.

  2. Navigate to Repositories.

  3. Select the repository to edit.

  4. Click the Enforcement tab and select New enforcement policy.

  5. Define the enforcement policy rules with the desired rule attributes and select Save. The screen displays the new enforcement policy in the Enforcement tab. By default, the new enforcement policy is toggled on.

Once a repository enforcement policy is set up and activated, pull requests that do not satisfy the policy rules will return the following error message:

Error response from daemon: unknown: pull access denied against
<namespace>/<reponame>: enforcement policies '<enforcement-policy-id>'
blocked request

Set up global enforcement

Important

Only administrators can set up global enforcement policies.

To set up a global enforcement policy using the MSR web UI:

  1. Log in to the MSR web UI.

  2. Navigate to System.

  3. Select the Enforcement tab.

  4. Confirm that the global enforcement function is Enabled.

  5. Define the enforcement policy rules with the desired criteria and select Save.

Once the global enforcement policy is set up, pull requests against any repository that do not satisfy the policy rules will return the following error message:

Error response from daemon: unknown: pull access denied against
<namespace>/<reponame>: global enforcement policy blocked request

Monitor enforcement activity

Administrators and users can monitor enforcement activity in the MSR web UI.

Important

Enforcement events can only be monitored at the repository level. It is not possible, for example, to view in one location all enforcement events that correspond to the global enforcement policy.

  1. Navigate to Repositories.

  2. Select the repository whose enforcement activity you want to review.

  3. Select the Activity tab to view enforcement event activity. For instance you can:

    • Identify which policy triggered an event using the enforcement ID displayed on the event entry. (The enforcement IDs for each enforcement policy are located on the Enforcement tab.)

    • Identify the user responsible for making a blocked pull request, and the time of the event.