Merge pull request #22474 from chaomonica/SEG-1124

docs: Added section explaining how RAM configurations restricting Docker hub interacts with mirror registries

content/manuals/docker-hub/image-library/mirror.md

@@ -45,6 +45,21 @@ Hub can be mirrored.
 The Registry can be configured as a pull through cache. In this mode a Registry
 responds to all normal docker pull requests but stores all content locally.
 
+### Using Registry Access Management (RAM) with a registry mirror
+
+If Docker Hub access is restricted via your Registry Access Management (RAM) configuration, you will not be able to pull images originating from Docker Hub even if the images are available in your registry mirror.
+
+You will encounter the following error:
+```console
+Error response from daemon: Access to docker.io has been restricted by your administrators.
+```
+
+If you are unable to allow access to Docker Hub, you can manually pull from your registry mirror and optionally, retag the image. For example:
+```console
+docker pull <your-registry-mirror>[:<port>]/library/busybox
+docker tag <your-registry-mirror>[:<port>]/library/busybox:latest busybox:latest
+```
+
 ## How does it work?
 
 The first time you request an image from your local registry mirror, it pulls

content/manuals/security/for-admins/hardened-desktop/registry-access-management.md

@@ -89,6 +89,7 @@ earlier Linux kernel series).
 This will be resolved in the updated 5.15 series Linux kernel.
 - Images pulled by Docker Desktop when Docker Debug or Kubernetes is enabled,
 are not restricted by default even if Docker Hub is blocked by RAM.
+- If Docker Hub access is restricted by RAM, pulls on images originating from Docker Hub are restricted even if the image has been previously cached by a registry mirror. See [Using Registry Access Management (RAM) with a registry mirror](/manuals/docker-hub/image-library/mirror.md).
 
 Also, Registry Access Management operates on the level of hosts, not IP
 addresses. Developers can bypass this restriction within their domain