Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add cli example to enable/disable quarantine #715

Merged
merged 1 commit into from
Oct 6, 2023
Merged

add cli example to enable/disable quarantine #715

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions docs/preview/quarantine/readme.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,19 @@ Before Quarantine is configured on the registry, both "quarantine" and "push" we

## Configure Quarantine on a registry

Once a user decides to enable Quarantine on a registry, he can use our [management Policy API](https://docs.microsoft.com/en-us/rest/api/containerregistry/registries/update#policies).
Once a user decides to enable or disable Quarantine on a registry, they can use our [management Policy API](https://docs.microsoft.com/en-us/rest/api/containerregistry/registries/update#policies). Here is the cli example.

```
id=$(az acr show --name myregistry --query id -o tsv)
az resource update --ids $id --set properties.policies.quarantinePolicy.status=enabled
az resource update --ids $id --set properties.policies.quarantinePolicy.status=disabled
```

Once Quarantine is enabled on a registry, for newly pushed image, it will enter quarantine state automatically and only a user with quarantine reader permissions can see the image. Meanwhile, the same "quarantine" webhook will be raised, but no "push" notification anymore. This gives the scanner a chance to scan the image first before making it available to other users.

Once scanner finishes scanning the image, it can mark the image as good, which will make this image available to all other users. Meanwhile a "push" notification is generated so that other users are notified.

>Please note, once the Quarantine is enabled, any images without being marked as good will be blocked for pull. This may impact user's ongoing workflow. We would recommend that before enable Qurantine mode on the registry, the scanner should finish scanning all the existing images (this can be done by using catalog API and manifest list API). User can then look at the failed images and decide if he should enable the Quarantine mode.
>Please note, once the Quarantine is enabled, any images without being marked as good will be blocked for pull. This may impact user's ongoing workflow. We would recommend that before enable Qurantine mode on the registry, the scanner should finish scanning all the existing images (this can be done by using catalog API and manifest list API). User can then look at the failed images and decide if they should enable the Quarantine mode.

The detailed flow is described below.

Expand Down