Prohibit podman users from using an insecure registry? #20951
Replies: 2 comments
-
|
It is gong to be very difficult to stop a determined user from doing bad things with containers. Users could download random tar balls and set them up as container images, and this would not block them. If you are going to allow a user to download stuff and execute it, then the user can execute untrusted stuff. If you want to stop them from doing stuff by accident, then you can just configure the global registries.conf and policy.json files. Most users would not even know about home registries.conf and about the policy.json file. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your thoughts @rhatdan - I concur that the Podman runtime configuration is not a source of security with respect to container technology. I am interested in the case of a user who may follow a tutorial (for example) and that may guide them into configuring an insecure repository. In this case, it seems like policy.json is the appropriate tool to achieve my aim. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi All,
I am a system administrator and have a requirement to prohibit users from using podman with insecure registries.
It seems to me that because a user can create their own $HOME/.config/containers/registries.conf, they can add an insecure registry. I have considered making that file empty and read-only and owned by root to achieve my aim and stop insecure registires...
... but I wonder if there is a more elegant way?
thanks in advance for your thoughts,
rich~
Beta Was this translation helpful? Give feedback.
All reactions