I want to be able to let the users push a docker file along with code to gitlab and let the gitlab build the image, that can then be pulled by authenticated user of the project.
The problem is , I want to make sure the users dont push docker images directly to gitlab container registry , so that we can review the docker-files and control , and make sure the Dockefiles are using the Redhat only registry to pull stuff from.
How can we prevent users from pushing thier own built image to gitlab? In other words , how can we make sure that docker image in the container registry of gitlab project is the one built by gitlab from dockerfile and is not the one pushed by the project users direclty from somewhere else?
deploy tokens is probably the best way forward. You can grant these on a per-repository or a group basis and specify granular access such as, for your use case read_registry as well as an optional expiry date.
Another option is to use personal access tokens. These are set globally for a user and you can specify as many as you like (eg one for each client), set an expiry date, and restrict access to read_registry.