CWCOW: Enforce registry entries on containers by MahatiC · Pull Request #2611 · microsoft/hcsshim

MahatiC · 2026-02-27T15:56:54Z

This PR implements registry enforcement to control what registry entries are allowed to be set inside a container.

There is a default_registry_values.go which stores the default registry entries that are necessary. As of now, it has one entry which is needed for ServerCore images as noted here
Adds a test annotation for internal testing of registry entries on containers
A new enforcement point is added to validate this and corresponding framework changes are also added
Unit tests for the new enforcement point

This change has been tested with this rego policy and this container config

Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>

MahatiC force-pushed the registry-enforcement branch 2 times, most recently from 81abd32 to 8504977 Compare February 27, 2026 16:55

CWCOW: Enforce registry entries on containers

fa1974e

Signed-off-by: Mahati Chamarthy <mahati.chamarthy@gmail.com>

MahatiC force-pushed the registry-enforcement branch from 8504977 to fa1974e Compare March 2, 2026 17:43

MahatiC marked this pull request as ready for review March 2, 2026 17:46

MahatiC requested a review from a team as a code owner March 2, 2026 17:46

msscotb assigned anmaxvl and helsaawy Mar 4, 2026

Provide feedback