Skip to content

hub: add namespace access control #23949

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
craig-osterhout wants to merge 1 commit into
base: main
Choose a base branch
from
+61 −0
Open

hub: add namespace access control #23949

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions content/manuals/enterprise/security/hardened-desktop/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ grid:
description: Restrict containers from accessing unwanted network resources.
icon: "vpn_lock"
link: /enterprise/security/hardened-desktop/air-gapped-containers/
- title: "Namespace access"
description: Control whether organization members can push content to their personal namespaces.
icon: "folder_managed"
link: /enterprise/security/hardened-desktop/namespace-access/
weight: 60
---

Expand All @@ -52,6 +56,7 @@ Hardened Docker Desktop features work independently and together to create a def
- Registry Access Management and Image Access Management prevent access to unauthorized container registries and image types, reducing exposure to malicious payloads
- Enhanced Container Isolation runs containers without root privileges inside a Linux user namespace, limiting the impact of malicious containers
- Air-gapped containers let you configure network restrictions for containers, preventing malicious containers from accessing your organization's internal network resources
- Namespace access controls whether organization members can push content to their personal Docker Hub namespaces, preventing accidental publication of images outside approved locations
- Settings Management locks down Docker Desktop configurations to enforce company policies and prevent developers from introducing insecure settings, whether intentionally or accidentally

## Next steps
Expand Down
53 changes: 53 additions & 0 deletions content/manuals/enterprise/security/hardened-desktop/namespace-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
title: Namespace access control
linkTitle: Namespace access
description: Control whether organization members can push content to their personal namespaces on Docker Hub
keywords: namespace access, docker hub, personal namespace, organization security, docker business
tags: [admin]
weight: 50
---

{{< summary-bar feature_name="Namespace access" >}}

Namespace access control lets organization administrators control whether all
members of an organization can push content to their personal namespaces on
Docker Hub. This helps organizations prevent developers from accidentally
publishing images outside of approved, governed locations.

When namespace access control is enabled, affected users can still view and pull images
from their personal namespaces and continue accessing all existing repositories
and content. However, they will no longer be able to create new repositories or
push new images to their personal namespace.

> [!IMPORTANT]
>
> For users in multiple organizations, if namespace access control is enabled in
> any organization, that user cannot push to their personal namespace and cannot
> create new repositories in their personal namespace.

### Configure namespace access control

To configure namespace access control:

1. Sign in to [Docker Home](https://app.docker.com/) and select your
organization from the top-left account drop-down.
2. Select **Admin Console**, then **Namespace access**.
3. Use the toggle to enable or disable namespace access control.
4. Select **Save changes**.

Once namespace access control is enabled, organization members can still view their
personal namespace and existing repositories but they will not be able to create
any new repositories or push any new images to existing repositories.

### Verify access restrictions

After configuring namespace access control, test that restrictions work correctly.

After any attempt to push to an existing repository in your personal namespace,
you'll see an error message like the following:

```console
$ docker push some-repo/tagname
Unavailable
authentication required - namespace access restriction from an organization you belong to prevents pushing new content in your personal namespace. Restriction applied by: sheltontest19,hubregistrystagetest. Please contact your organization administrator
```
3 changes: 3 additions & 0 deletions data/summary.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,6 +220,9 @@ Hardened Docker Desktop:
for: Administrators
Image management:
availability: Beta
Namespace access:
subscription: [Business]
for: Administrators
Immutable tags:
availability: Beta
Import builds:
Expand Down