It is not currently possible to limit pushes to a docker registry based on the tags on the image. I have 2 permission targets applied to a docker registry. 1 target gives a user read, and deploy permissions. This first permission is applied to "**/"* items. The other target gives users delete/overwrite permissions and is limited to only "**/*latest" items. This should allow the user to version release their docker images 1.0, 1.1, 2.0 - and those version tags should be immutable. But, the "latest" version of the docker image needs to be updatable.
Through the GUI, the effective permissions are showing up correctly (see below images)
But, when pushing a new "latest" tagged image, I get "manifest invalid: manifest invalid"