Local Docker Registry Authentication and Authorization

Authentication is enabled for the local Docker registry. When logging in, users are authenticated using their platform keystone credentials.

For example:

$ docker login registry.local:9001 -u <keystoneUserName> -p <keystonePassword>

An authorized administrator (‘admin’ and ‘sysinv’) can perform any Docker action. Regular users can only interact with their own repositories (i.e. registry.local:9001/<keystoneUserName>/). Any authenticated user can pull from the following list of public images:

  • registry.local:9001:/public/*

  • registry.local:9001:/k8s.gcr.io/pause

  • registry.local:9001:/quay.io/jetstack/cert-manager-acmesolver

The mtce user can only pull public images, but cannot push any images.

For example, only admin and testuser accounts can push to or pull from registry.local:9001/testuser/busybox:latest

Username and Docker compatibility

Repository names in Docker registry paths must be lower case. For this reason, a keystone user must exist that consists of all lower case characters. For example, the user testuser is correct in the following URL, while testUser would result in an error:



Use of the auto-generated self-signed certificate for the registry certificate is not recommended. If you must do so, then from the central cloud/systemController, access to the local registry can only be done using registry.local:9001. registry.central:9001 will be inaccessible. Installing a CA-signed certificate for the registry and the certificate of the CA as an ‘ssl_ca’ certificate will remove this restriction.

For more information about Docker commands, see https://docs.docker.com/engine/reference/commandline/docker/.