Prevent tags from being overwritten

By default, users with read and write access to a repository can push the same tag multiple times to that repository. For example, when user A pushes an image to library/wordpress:latest, there is no preventing user B from pushing an image with the same name but a completely different functionality. This can make it difficult to trace the image back to the build that generated it.

To prevent tags from being overwritten, you can configure a repository to be immutable. Once configured, MSR will not allow anyone else to push another image tag with the same name.

Make tags immutable

You can enable tag immutability on a repository when you create it, or at any time after.

New Repository

If you’re not already logged in, navigate to https://<msr-url> and log in with your MKE credentials. To make tags immutable on a new repository, do the following:

  1. Follow the steps in Create a repository.

  2. Click Show advanced settings, and turn on Immutability. Note that tag limits are enabled when immutability is enabled for a repository.

Existing Repository

  1. Select Repositories in the left-side navigation panel.

  2. Click on the name of the repository that you want to view. Note that you will have to click on the repository name following the / after the specific namespace for your repository.

  3. Select the Settings tab, and turn on Immutability.

From now on, you will get an error message when trying to push a tag that already exists:

docker push msr-example.com/library/wordpress:latest
unknown: tag=latest cannot be overwritten because
msr-example.com/library/wordpress is an immutable repository

Where to go next