Docker push/pull
).//image/IMAGE:TAG
to reference an image residing within the current Org’s private repository.Permission | Description | Implies |
---|---|---|
create | Create new image. You can push if you can create images. | pull |
delete | Delete | |
edit | Modify existing image (only tags can be changed) | view |
manage | Full access | create, delete, edit, manage, pull, view |
pull | Image can be pulled | view |
view | Read-only access |
create
permission must be bound to the principal pushing an image to an org’s private registry.
Using the console UI, follow these steps to create a least privileged policy which will allow a principal to push an image:
Policies
in the left menu bar and click the New
button at the top of the form.image
from the Target Kind pulldown, and enable the Target All Images
button. Click the Next
button.Add Binding
.create
permission. Select the principal type that will be pushing the image from the top menu bar and select the principal. Click Add
.Create
.pull
permission must be bound to a principal pulling an image from an org’s private registry.
Unless the policy targets all images, a query must be created with the image names (without the tag) that the principal is allowed to pull. That query uses the property
parameter and can only be created/updated using cpln apply or the CLI’s cpln profile command.
Below is a sample JSON manifest used as input to cpln apply
.
Notice that the property
parameter is equal to repository
.
Update the POLICY_NAME
, ORG_NAME
, USER_EMAIL
, SERVICE_ACCOUNT_NAME
, and IMAGE_NAME
tokens.
The principalLinks
can refer to a user or service account.
docker pull ...
).