hub: add namespace access control (#23949)

<!--Delete sections as needed -->

## Description

Added namespace access control feature:

-
https://deploy-preview-23949--docsdocker.netlify.app/enterprise/security/hardened-desktop/namespace-access/
-
https://deploy-preview-23949--docsdocker.netlify.app/enterprise/security/hardened-desktop/
-
https://deploy-preview-23949--docsdocker.netlify.app/enterprise/security/roles-and-permissions/core-roles/
-
https://deploy-preview-23949--docsdocker.netlify.app/platform-release-notes/

Added public repo creation feature:

-
https://deploy-preview-23949--docsdocker.netlify.app/docker-hub/settings/
-
https://deploy-preview-23949--docsdocker.netlify.app/enterprise/security/roles-and-permissions/core-roles/
-
https://deploy-preview-23949--docsdocker.netlify.app/docker-hub/release-notes/

## Related issues or tickets

ENGDOCS-3141

## Reviews

<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->

- [ ] Editorial review
- [ ] Product review

---------

Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>

content/manuals/docker-hub/_index.md

@@ -20,6 +20,10 @@ grid:
     or the Docker community.
   icon: inbox
   link: /docker-hub/repos
+- title: Settings
+  description: Learn about settings in Docker Hub.
+  icon: settings
+  link: /docker-hub/settings
 - title: Organizations
   description: Learn about organization administration.
   icon: store

content/manuals/docker-hub/release-notes.md

@@ -13,6 +13,14 @@ tags: [Release notes]
 Here you can learn about the latest changes, new features, bug fixes, and
 known issues for each Docker Hub release.
 
+## 2026-02-13
+
+### New
+
+- Administrators can now prevent creating public repositories within
+  organization namespaces using the [Disable public
+  repositories](./settings.md#disable-creation-of-public-repos) setting.
+
 ## 2025-02-18
 
 ### New

content/manuals/docker-hub/repos/_index.md

@@ -54,6 +54,3 @@ In this section, learn how to:
 
 - [Archive](./archive.md) an outdated or unsupported repository.
 - [Delete](./delete.md) a repository.
-- [Manage personal settings](./settings.md): For your account, you can set personal
-  settings for repositories, including default repository privacy and autobuild
-  notifications.

content/manuals/docker-hub/repos/settings.md

@@ -1,52 +0,0 @@
----
-description: Learn about personal repository settings in Docker Hub
-keywords: Docker Hub, Hub, repositories, settings
-title: Personal settings for repositories
-linkTitle: Personal settings
-toc_max: 3
-weight: 50
----
-
-For your account, you can set personal settings for repositories, including
-default repository privacy and autobuild notifications.
-
-## Default repository privacy
-
-When creating a new repository in Docker Hub, you are able to specify the
-repository visibility. You can also change the visibility at any time in Docker Hub.
-
-The default setting is useful if you use the `docker push` command to push to a
-repository that doesn't exist yet. In this case, Docker Hub automatically
-creates the repository with your default repository privacy.
-
-### Configure default repository privacy
-
-1. Sign in to [Docker Hub](https://hub.docker.com).
-2. Select **My Hub** > **Settings** > **Default privacy**.
-3. Select the **Default privacy** for any new repository created.
-
-   - **Public**: All new repositories appear in Docker Hub search results and can be
-     pulled by everyone.
-   - **Private**: All new repositories don't appear in Docker Hub search results
-     and are only accessible to you and collaborators. In addition, if the
-     repository is created in an organization's namespace, then the repository
-     is accessible to those with applicable roles or permissions.
-
-4. Select **Save**.
-
-## Autobuild notifications
-
-You can send notifications to your email for all your repositories using
-autobuilds.
-
-### Configure autobuild notifications
-
-1. Sign in to [Docker Hub](https://hub.docker.com).
-2. Select **My Hub** > **Repositories** > **Settings** > **Notifications**.
-3. Select the notifications to receive by email.
-
-   - **Off**: No notifications.
-   - **Only failures**: Only notifications about failed builds.
-   - **Everything**: Notifications for successful and failed builds.
-
-4. Select **Save**.

content/manuals/docker-hub/settings.md

@@ -0,0 +1,96 @@
+---
+description: Learn about settings in Docker Hub
+keywords: Docker Hub, Hub, repositories, settings
+title: Settings
+weight: 25
+---
+
+You can configure the following settings in Docker Hub:
+
+- [Default privacy](#default-privacy): Settings for all repositories within each
+  namespace
+- [Notifications](#notifications): Personal settings for autobuild notifications
+
+## Default privacy
+
+You can configure the following default privacy settings for all repositories in
+a namespace:
+
+- [Disable creation of public repos](#disable-creation-of-public-repos): Prevent
+  organization users from creating public repositories (organization namespaces
+  only)
+- [Configure default repository privacy](#configure-default-repository-privacy):
+  Set the default repository privacy for new repositories
+
+
+### Disable creation of public repos
+
+{{< summary-bar feature_name="Disable public repositories" >}}
+
+Organization owners and editors can prevent creating public repositories within
+organization namespaces. You cannot configure this setting for personal account
+namespaces.
+
+> [!NOTE]
+>
+> Enabling this feature does not affect existing public repositories. Any public
+> repositories that already exist will remain public. To make them private, you
+> must change their visibility in the individual repository settings.
+
+To configure the disable public repositories setting for an organization
+namespace:
+
+1. Sign in to [Docker Hub](https://hub.docker.com).
+2. Select **My Hub**.
+3. Select your organization from the top-left account drop-down.
+4. Select **Settings** > **Default privacy**.
+5. Toggle **Disable public repositories** to your desired setting.
+6. Select **Save**.
+
+### Configure default repository privacy
+
+Use the default repository privacy setting to automatically set privacy for
+repositories created via `docker push` commands when the repository doesn't
+exist yet. In this case, Docker Hub automatically creates the repository with
+the default repository privacy for that namespace.
+
+> [!NOTE]
+>
+> You cannot configure the default repository privacy setting when **Disable
+> public repositories** is enabled.
+
+To configure the default repository privacy for a namespace:
+
+1. Sign in to [Docker Hub](https://hub.docker.com).
+2. Select **My Hub**.
+3. Select your organization or account from the top-left account drop-down.
+4. Select **Settings** > **Default privacy**.
+5. In **Default repository privacy**, select the desired default privacy setting:
+
+   - **Public**: All new repositories appear in Docker Hub search results and can be
+     pulled by everyone.
+   - **Private**: All new repositories don't appear in Docker Hub search results
+     and are only accessible to you and collaborators. In addition, if the
+     repository is created in an organization's namespace, then the repository
+     is accessible to those with applicable roles or permissions.
+
+6. Select **Save**.
+
+## Notifications
+
+You can send notifications to your email for all your repositories using
+autobuilds.
+
+### Configure autobuild notifications
+
+1. Sign in to [Docker Hub](https://hub.docker.com).
+2. Select **My Hub**.
+3. Select your personal account from the top-left account drop-down.
+4. Select **Settings** > **Notifications**.
+5. Select the notifications to receive by email:
+
+   - **Off**: No notifications.
+   - **Only failures**: Only notifications about failed builds.
+   - **Everything**: Notifications for successful and failed builds.
+
+6. Select **Save**.

content/manuals/enterprise/security/hardened-desktop/_index.md

@@ -28,6 +28,10 @@ grid:
     description: Restrict containers from accessing unwanted network resources.
     icon: "vpn_lock"
     link: /enterprise/security/hardened-desktop/air-gapped-containers/
+  - title: "Namespace access"
+    description: Control whether organization members can push content to their personal namespaces.
+    icon: "folder_managed"
+    link: /enterprise/security/hardened-desktop/namespace-access/
 weight: 60
 ---
 
@@ -52,6 +56,7 @@ Hardened Docker Desktop features work independently and together to create a def
 - Registry Access Management and Image Access Management prevent access to unauthorized container registries and image types, reducing exposure to malicious payloads
 - Enhanced Container Isolation runs containers without root privileges inside a Linux user namespace, limiting the impact of malicious containers
 - Air-gapped containers let you configure network restrictions for containers, preventing malicious containers from accessing your organization's internal network resources
+- Namespace access controls whether organization members can push content to their personal Docker Hub namespaces, preventing accidental publication of images outside approved locations
 - Settings Management locks down Docker Desktop configurations to enforce company policies and prevent developers from introducing insecure settings, whether intentionally or accidentally
 
 ## Next steps

content/manuals/enterprise/security/hardened-desktop/namespace-access.md

@@ -0,0 +1,53 @@
+---
+title: Namespace access control
+linkTitle: Namespace access
+description: Control whether organization members can push content to their personal namespaces on Docker Hub
+keywords: namespace access, docker hub, personal namespace, organization security, docker business
+tags: [admin]
+weight: 50
+---
+
+{{< summary-bar feature_name="Namespace access" >}}
+
+Namespace access control lets organization administrators control whether all
+members of an organization can push content to their personal namespaces on
+Docker Hub. This prevents organizations from accidentally publishing images
+outside of approved, governed locations.
+
+When namespace access control is enabled, organization members can still view and pull images
+from their personal namespaces and continue accessing all existing repositories
+and content. However, they will no longer be able to create new repositories or
+push new images to their personal namespace.
+
+> [!IMPORTANT]
+>
+> For users in multiple organizations, if namespace access control is enabled in
+> any organization, that user cannot push to their personal namespace and cannot
+> create new repositories in their personal namespace.
+
+### Configure namespace access control
+
+To configure namespace access control:
+
+1. Sign in to [Docker Home](https://app.docker.com/) and select your
+   organization from the top-left account drop-down.
+2. Select **Admin Console**, then **Namespace access**.
+3. Use the toggle to enable or disable namespace access control.
+4. Select **Save changes**.
+
+Once namespace access control is enabled, organization members can still view their
+personal namespace and existing repositories but they will not be able to create
+any new repositories or push any new images to existing repositories.
+
+### Verify access restrictions
+
+After configuring namespace access control, test that restrictions work correctly.
+
+After any attempt to push to an existing repository in your personal namespace,
+you'll see an error message like the following:
+
+```console
+$ docker push <personal-namespace>/<image>:<tag>
+Unavailable
+authentication required - namespace access restriction from an organization you belong to prevents pushing new content in your personal namespace. Restriction applied by: <organizations>. Please contact your organization administrator
+```

content/manuals/enterprise/security/roles-and-permissions/core-roles.md

@@ -37,6 +37,7 @@ These permissions apply organization-wide, including all repositories in your or
 | Edit and delete publisher repository logos            | ❌     | ✅     | ✅    |
 | Observe content engagement as a publisher             | ❌     | ❌     | ✅    |
 | Create public and private repositories                | ❌     | ✅     | ✅    |
+| Disable public repositories                           | ❌     | ✅     | ✅    |
 | Edit and delete repositories                          | ❌     | ✅     | ✅    |
 | Manage tags                                           | ❌     | ✅     | ✅    |
 | View repository activity                              | ❌     | ❌     | ✅    |
@@ -66,6 +67,7 @@ beyond their organization role:
 | Export and reporting                                              | ❌     | ❌     | ✅    |
 | Image Access Management                                           | ❌     | ❌     | ✅    |
 | Registry Access Management                                        | ❌     | ❌     | ✅    |
+| Namespace access control                                          | ❌     | ❌     | ✅    |
 | Set up Single Sign-On (SSO) and SCIM                              | ❌     | ❌     | ✅ \* |
 | Require Docker Desktop sign-in                                    | ❌     | ❌     | ✅ \* |
 | Manage billing information (for example, billing address)         | ❌     | ❌     | ✅    |

content/manuals/platform-release-notes.md

@@ -12,6 +12,17 @@ tags: [Release notes, admin]
 
 This page provides details on new features, enhancements, known issues, and bug fixes across Docker Home, the Admin Console, billing, security, and subscription functionalities.
 
+## 2026-02-13
+
+### New
+
+- Administrators can now control whether organization members can push content
+  to their personal namespaces on Docker Hub with [namespace access
+  control](/manuals/enterprise/security/hardened-desktop/namespace-access.md).
+- Administrators can now prevent creating public repositories within
+  organization namespaces using the [Disable public
+  repositories](/manuals/docker-hub/settings.md#disable-creation-of-public-repos) setting.
+
 ## 2026-01-27
 
 ### New