Image Tag Immutability

Scenarios

To ensure end-to-end trust and prevent existing images from being overwritten if a set of access credentials gets leaked, you can configure an immutability policy for images in a namespace. If you attempt to push an image with a tag that is already in the namespace, an error will be returned.

Constraints

Only one immutability policy can be created for each namespace.

Creating an Image Tag Immutability Policy

Log in to the SWR console. In the upper left corner, switch to your region. Click your repository name.
In the navigation pane, choose O&M Center > Image Tag Immutability.
Click Create Immutability Policy in the upper right corner.

In the displayed dialog box, configure the parameters.

**Table 1** Image tag immutability policies
Parameter		Description
Namespace		Namespace where an immutability policy will be created. It can be a public or private namespace.
Application Scope	Image	Select one or more images in the namespace.
Application Scope	Tag	Specify the image tags that the policy will be applied to. If this parameter is omitted or set to **, the policy will be applied to all image tags.

For Image, you can select one or more images from the list.
Alternatively, you can enter a regular expression.
The regular expression can be nginx-* or {repo1, repo2}.
- *: matches any field that does not contain the path separator /.
- **: matches any field that contains the path separator /.
- ?: matches any single character except /.
- {option 1, option 2, ...}: matches any of the options.

Click OK.

Managing Image Tag Immutability Policies

You can manage your immutability policies as follows.

Enable or disable an immutability policy. indicates a policy is enabled and indicates the policy is disabled. A new policy is enabled by default.
Modify an immutability policy. All parameters except Namespace can be modified.
Delete an immutability policy.