diff --git a/content/manuals/enterprise/security/hardened-desktop/_index.md b/content/manuals/enterprise/security/hardened-desktop/_index.md index 44bba2cac39..fb3123632bd 100644 --- a/content/manuals/enterprise/security/hardened-desktop/_index.md +++ b/content/manuals/enterprise/security/hardened-desktop/_index.md @@ -28,6 +28,10 @@ grid: description: Restrict containers from accessing unwanted network resources. icon: "vpn_lock" link: /enterprise/security/hardened-desktop/air-gapped-containers/ + - title: "Namespace access" + description: Control whether organization members can push content to their personal namespaces. + icon: "folder_managed" + link: /enterprise/security/hardened-desktop/namespace-access/ weight: 60 --- @@ -52,6 +56,7 @@ Hardened Docker Desktop features work independently and together to create a def - Registry Access Management and Image Access Management prevent access to unauthorized container registries and image types, reducing exposure to malicious payloads - Enhanced Container Isolation runs containers without root privileges inside a Linux user namespace, limiting the impact of malicious containers - Air-gapped containers let you configure network restrictions for containers, preventing malicious containers from accessing your organization's internal network resources +- Namespace access controls whether organization members can push content to their personal Docker Hub namespaces, preventing accidental publication of images outside approved locations - Settings Management locks down Docker Desktop configurations to enforce company policies and prevent developers from introducing insecure settings, whether intentionally or accidentally ## Next steps diff --git a/content/manuals/enterprise/security/hardened-desktop/namespace-access.md b/content/manuals/enterprise/security/hardened-desktop/namespace-access.md new file mode 100644 index 00000000000..7351fe3ff1b --- /dev/null +++ b/content/manuals/enterprise/security/hardened-desktop/namespace-access.md @@ -0,0 +1,53 @@ +--- +title: Namespace access control +linkTitle: Namespace access +description: Control whether organization members can push content to their personal namespaces on Docker Hub +keywords: namespace access, docker hub, personal namespace, organization security, docker business +tags: [admin] +weight: 50 +--- + +{{< summary-bar feature_name="Namespace access" >}} + +Namespace access control lets organization administrators control whether all +members of an organization can push content to their personal namespaces on +Docker Hub. This helps organizations prevent developers from accidentally +publishing images outside of approved, governed locations. + +When namespace access control is enabled, affected users can still view and pull images +from their personal namespaces and continue accessing all existing repositories +and content. However, they will no longer be able to create new repositories or +push new images to their personal namespace. + +> [!IMPORTANT] +> +> For users in multiple organizations, if namespace access control is enabled in +> any organization, that user cannot push to their personal namespace and cannot +> create new repositories in their personal namespace. + +### Configure namespace access control + +To configure namespace access control: + +1. Sign in to [Docker Home](https://app.docker.com/) and select your + organization from the top-left account drop-down. +2. Select **Admin Console**, then **Namespace access**. +3. Use the toggle to enable or disable namespace access control. +4. Select **Save changes**. + +Once namespace access control is enabled, organization members can still view their +personal namespace and existing repositories but they will not be able to create +any new repositories or push any new images to existing repositories. + +### Verify access restrictions + +After configuring namespace access control, test that restrictions work correctly. + +After any attempt to push to an existing repository in your personal namespace, +you'll see an error message like the following: + +```console +$ docker push some-repo/tagname +Unavailable +authentication required - namespace access restriction from an organization you belong to prevents pushing new content in your personal namespace. Restriction applied by: sheltontest19,hubregistrystagetest. Please contact your organization administrator +``` \ No newline at end of file diff --git a/data/summary.yaml b/data/summary.yaml index 006bd9efafd..4822f97ae80 100644 --- a/data/summary.yaml +++ b/data/summary.yaml @@ -220,6 +220,9 @@ Hardened Docker Desktop: for: Administrators Image management: availability: Beta +Namespace access: + subscription: [Business] + for: Administrators Immutable tags: availability: Beta Import builds: