Remember the registry deals with the actual data, and delegates auth and other stuff to an index. The docker-registry has a dummy implementation of an index that has no notion of authentication or authorization, so anything you push to your private registry is really public if you don't secure it with some other method.
For me, I wanted to have a real private registry with access control limited to my team. It turned out to not be too difficult to make our own registry+index implementation that is private by default. It has a basic web interface too. I've open sourced development of it https://github.com/jimrhoskins/stevedore . It's still really rough, especially on the web interface stuff, but for push/pull operations with required authentication, it does the job now.
Remember the registry deals with the actual data, and delegates auth and other stuff to an index. The docker-registry has a dummy implementation of an index that has no notion of authentication or authorization, so anything you push to your private registry is really public if you don't secure it with some other method.
For me, I wanted to have a real private registry with access control limited to my team. It turned out to not be too difficult to make our own registry+index implementation that is private by default. It has a basic web interface too. I've open sourced development of it https://github.com/jimrhoskins/stevedore . It's still really rough, especially on the web interface stuff, but for push/pull operations with required authentication, it does the job now.