Given most of resource types are from community and other open source contributors, quality is a concern. Also write a new resource type is super easy to our genius developers, we have to consider how to prevent our production concourse cluster from being messed up.
We solution come out to me is to add a restriction that only authorized resource types can run on our production concourse cluster. To archive that, it needs to restrict concourse to fetch docker image from only certain registries, like our internal docker hub.
I see that current
concourse worker has two options about image fetching:
Docker Image Fetching: --garden-docker-registry= Docker registry API endpoint. (default: registry-1.docker.io) [$CONCOURSE_GARDEN_DOCKER_REGISTRY] --garden-insecure-docker-registry= Docker registry to allow connecting to even if not secure. Can be specified multiple times. [$CONCOURSE_GARDEN_INSECURE_DOCKER_REGISTRY]
But they don’t see to block other registries. So I would request a new option like
--garden-restrict-docker-registry, if this option is turned on, then worker will only fetch docker images from
--garden-docker-registry specified registries.