hub: add namespace access control

Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>

Author: craig-osterhout

content/manuals/docker-hub/_index.md

@@ -20,6 +20,10 @@ grid:
     or the Docker community.
   icon: inbox
   link: /docker-hub/repos
+- title: Settings
+  description: Learn about settings in Docker Hub.
+  icon: settings
+  link: /docker-hub/settings
 - title: Organizations
   description: Learn about organization administration.
   icon: store

content/manuals/docker-hub/release-notes.md

@@ -13,6 +13,14 @@ tags: [Release notes]
 Here you can learn about the latest changes, new features, bug fixes, and
 known issues for each Docker Hub release.
 
+## 2026-02-05
+
+### New
+
+- Administrators can now prevent creating public repositories within
+  organization namespaces using the [Disable public
+  repositories](./settings.md#configure-disable-public-repositories) setting.
+
 ## 2025-02-18
 
 ### New

content/manuals/docker-hub/repos/_index.md

@@ -53,7 +53,4 @@ In this section, learn how to:
      accessing analytics, and enabling vulnerability scanning.
 
 - [Archive](./archive.md) an outdated or unsupported repository.
-- [Delete](./delete.md) a repository.
-- [Manage personal settings](./settings.md): For your account, you can set personal
-  settings for repositories, including default repository privacy and autobuild
-  notifications.
+- [Delete](./delete.md) a repository.

content/manuals/docker-hub/repos/settings.md

@@ -0,0 +1,90 @@
+---
+description: Learn about settings in Docker Hub
+keywords: Docker Hub, Hub, repositories, settings
+title: Settings
+weight: 25
+---
+
+You can configure the following settings in Docker Hub:
+
+- [Default privacy](#default-privacy): Settings for all repositories within each
+  namespace
+- [Notifications](#notifications): Personal settings for autobuild notifications
+
+## Default privacy
+
+You can configure the following default privacy settings for all repositories in
+a namespace:
+
+- [Configure disable public repositories](#configure-disable-public-repositories): Prevent
+  organization users from creating public repositories (organization namespaces
+  only)
+- [Configure default repository privacy](#configure-default-repository-privacy):
+  Set the default repository privacy for new repositories
+
+
+### Configure disable public repositories
+
+{{< summary-bar feature_name="Disable public repositories" >}}
+
+Organization owners and editors can prevent creating public repositories within
+organization namespaces. You cannot configure this setting for personal account
+namespaces.
+
+To configure the disable public repositories setting for an organization
+namespace:
+
+1. Sign in to [Docker Hub](https://hub.docker.com).
+2. Select **My Hub**.
+3. Select your organization from the top-left account drop-down.
+4. Select **Settings** > **Default privacy**.
+5. Toggle **Disable public repositories** to your desired setting.
+6. Select **Save**.
+
+### Configure default repository privacy
+
+The default repository privacy setting is useful if you or others in your
+organization use the `docker push` command to push to a repository that doesn't
+exist yet. In this case, Docker Hub automatically creates the repository with
+the default repository privacy for that namespace.
+
+> [!NOTE]
+>
+> You cannot configure the default repository privacy setting when **Disable
+> public repositories** is enabled.
+
+To configure the default repository privacy for a namespace:
+
+1. Sign in to [Docker Hub](https://hub.docker.com).
+2. Select **My Hub**.
+3. Select your organization or account from the top-left account drop-down.
+4. Select **Settings** > **Default privacy**.
+5. In **Default repository privacy**, select the desired default privacy setting:
+
+   - **Public**: All new repositories appear in Docker Hub search results and can be
+     pulled by everyone.
+   - **Private**: All new repositories don't appear in Docker Hub search results
+     and are only accessible to you and collaborators. In addition, if the
+     repository is created in an organization's namespace, then the repository
+     is accessible to those with applicable roles or permissions.
+
+6. Select **Save**.
+
+## Notifications
+
+You can send notifications to your email for all your repositories using
+autobuilds.
+
+### Configure autobuild notifications
+
+1. Sign in to [Docker Hub](https://hub.docker.com).
+2. Select **My Hub**.
+3. Select your personal account from the top-left account drop-down.
+4. Select **Settings** > **Notifications**.
+5. Select the notifications to receive by email:
+
+   - **Off**: No notifications.
+   - **Only failures**: Only notifications about failed builds.
+   - **Everything**: Notifications for successful and failed builds.
+
+6. Select **Save**.

content/manuals/docker-hub/settings.md

@@ -28,6 +28,10 @@ grid:
     description: Restrict containers from accessing unwanted network resources.
     icon: "vpn_lock"
     link: /enterprise/security/hardened-desktop/air-gapped-containers/
+  - title: "Namespace access"
+    description: Control whether organization members can push content to their personal namespaces.
+    icon: "folder_managed"
+    link: /enterprise/security/hardened-desktop/namespace-access/
 weight: 60
 ---
 
@@ -52,6 +56,7 @@ Hardened Docker Desktop features work independently and together to create a def
 - Registry Access Management and Image Access Management prevent access to unauthorized container registries and image types, reducing exposure to malicious payloads
 - Enhanced Container Isolation runs containers without root privileges inside a Linux user namespace, limiting the impact of malicious containers
 - Air-gapped containers let you configure network restrictions for containers, preventing malicious containers from accessing your organization's internal network resources
+- Namespace access controls whether organization members can push content to their personal Docker Hub namespaces, preventing accidental publication of images outside approved locations
 - Settings Management locks down Docker Desktop configurations to enforce company policies and prevent developers from introducing insecure settings, whether intentionally or accidentally
 
 ## Next steps

content/manuals/enterprise/security/hardened-desktop/_index.md

@@ -0,0 +1,53 @@
+---
+title: Namespace access control
+linkTitle: Namespace access
+description: Control whether organization members can push content to their personal namespaces on Docker Hub
+keywords: namespace access, docker hub, personal namespace, organization security, docker business
+tags: [admin]
+weight: 50
+---
+
+{{< summary-bar feature_name="Namespace access" >}}
+
+Namespace access control lets organization administrators control whether all
+members of an organization can push content to their personal namespaces on
+Docker Hub. This helps organizations prevent developers from accidentally
+publishing images outside of approved, governed locations.
+
+When namespace access control is enabled, affected users can still view and pull images
+from their personal namespaces and continue accessing all existing repositories
+and content. However, they will no longer be able to create new repositories or
+push new images to their personal namespace.
+
+> [!IMPORTANT]
+>
+> For users in multiple organizations, if namespace access control is enabled in
+> any organization, that user cannot push to their personal namespace and cannot
+> create new repositories in their personal namespace.
+
+### Configure namespace access control
+
+To configure namespace access control:
+
+1. Sign in to [Docker Home](https://app.docker.com/) and select your
+   organization from the top-left account drop-down.
+2. Select **Admin Console**, then **Namespace access**.
+3. Use the toggle to enable or disable namespace access control.
+4. Select **Save changes**.
+
+Once namespace access control is enabled, organization members can still view their
+personal namespace and existing repositories but they will not be able to create
+any new repositories or push any new images to existing repositories.
+
+### Verify access restrictions
+
+After configuring namespace access control, test that restrictions work correctly.
+
+After any attempt to push to an existing repository in your personal namespace,
+you'll see an error message like the following:
+
+```console
+$ docker push <personal-namespace>/<image>:<tag>
+Unavailable
+authentication required - namespace access restriction from an organization you belong to prevents pushing new content in your personal namespace. Restriction applied by: <organizations>. Please contact your organization administrator
+```

content/manuals/enterprise/security/hardened-desktop/namespace-access.md

@@ -39,6 +39,7 @@ These permissions apply organization-wide, including all repositories in your or
 | Edit and delete publisher repository logos            | ❌     | ✅     | ✅    |
 | Observe content engagement as a publisher             | ❌     | ❌     | ✅    |
 | Create public and private repositories                | ❌     | ✅     | ✅    |
+| Disable public repositories                           | ❌     | ✅     | ✅    |
 | Edit and delete repositories                          | ❌     | ✅     | ✅    |
 | Manage tags                                           | ❌     | ✅     | ✅    |
 | View repository activity                              | ❌     | ❌     | ✅    |
@@ -68,6 +69,7 @@ beyond their organization role:
 | Export and reporting                                              | ❌     | ❌     | ✅    |
 | Image Access Management                                           | ❌     | ❌     | ✅    |
 | Registry Access Management                                        | ❌     | ❌     | ✅    |
+| Namespace access control                                          | ❌     | ❌     | ✅    |
 | Set up Single Sign-On (SSO) and SCIM                              | ❌     | ❌     | ✅ \* |
 | Require Docker Desktop sign-in                                    | ❌     | ❌     | ✅ \* |
 | Manage billing information (for example, billing address)         | ❌     | ❌     | ✅    |

content/manuals/enterprise/security/roles-and-permissions/core-roles.md

@@ -12,6 +12,12 @@ tags: [Release notes, admin]
 
 This page provides details on new features, enhancements, known issues, and bug fixes across Docker Home, the Admin Console, billing, security, and subscription functionalities.
 
+## 2026-02-05
+
+### New
+
+- Administrators can now control whether organization members can push content to their personal namespaces on Docker Hub with [namespace access control](/manuals/enterprise/security/hardened-desktop/namespace-access.md).
+
 ## 2026-01-27
 
 ### New

content/manuals/platform-release-notes.md

@@ -218,8 +218,14 @@ GitHub Actions cache:
 Hardened Docker Desktop:
   subscription: [Business]
   for: Administrators
+Disable public repositories:
+  subscription: [Team, Business]
+  for: Administrators
 Image management:
   availability: Beta
+Namespace access:
+  subscription: [Business]
+  for: Administrators
 Immutable tags:
   availability: Beta
 Import builds: