Question about BaseImageRegistryWhitelist

Hi,

I’m trying to allow pull the workspace base images only from our private registry.

I found this config:

     server:
       defaultBaseImageRegistryWhitelist:
       - some.registry.domain.com

I use it and it is in the envs of the server pod, but I still can pull images from docker hub :frowning:

Did anybody use this feature before?
Is anybody know what I did wrong?

(self-hosted 0.6.0 on aws eks)
Thanks

Hi @szell,

allowing local registries does not prohibit downloads from docker. If you want to download images directly from a specific server, you have to add the domain and the port of your registry. https://docs.docker.com/registry/deploying/

Hi,
maybe I miss understood something.

Is there a way to allow the image download only from my private registry?

I use this way:

imageBuilder:
    name: image-builder
    dependsOn:
    - image-builder-configmap.yaml
    hostDindData: /var/gitpod/docker
    registry:
      name: docker.< DOMAIN >
      secretName: image-builder-registry-secret
      path: "secrets/registry-auth.json"
      baseImageName: ""
      workspaceImageName: ""
      bypassProxy: false
    registryCerts: []
    ....

server:
    name: server
    replicas: 1
    dependsOn:
    - server-proxy-apikey-secret.yaml
    - auth-providers-configmap.yaml
    sessionSecret: VerySecretSessionSecret
    resources:
      cpu: 200m
    github:
      app: {}
    blockNewUsers: false
    runDbDeleter: true
    storage: {}
    wsman: []
    defaultBaseImageRegistryWhitelist: 
       - docker.< DOMAIN >
    defaultFeatureFlags: []
    ....

Thanks

Hi @szell,
Gitpod can not be configured to block access to registries. That has to be done by firewall settings in your environment.

1 Like