How can I block someone from accidentally pushing to DockerHub?

Question

Since DockerHub will implement rate limiting on Nov 1, we will probably tell our engineers to create (free) DockerHub accounts in order to each individually enjoy 200 pulls per 6 hours.

We are however worried that an engineer might somehow accidentally push an image to DockerHub from their laptop.

Is there some way we can block our developers from accidentally pushing to DockerHub?

Answer 1

It's possible that Docker will provide the ability to create more limited tokens before the rate limits start, either pull only, or perhaps limited to specific repos. This functionality is needed for CI users that are running builds in the cloud and don't want to give out full access.

Otherwise, I'd recommend not tagging your local images with something that you can push to Docker Hub. The image reference includes the repository name, and can be prefixed with a registry. If they tag with a local registry name, or specify a repository they don't have access to push to, then they will not push anything to Hub.

Even better is if you create a local registry which removes the need to pull from Hub. Mirror the base images your developers need, and have them perform their builds against your internal registry. There are lots of implementations of the docker registry including Docker's image or for an enterprise environment, that's been extended in the Harbor Project which is part of the CNCF. Both are free and open source.

As an extreme measure, you can block the ability to run any POST /v2/*/blobs/upload (see the registry API spec) on an http proxy that all developers use to access the internet, but you may find this breaks many legitimate use cases.