Harbor registry proxy cache vs replication

I'm new to Harbor registry. I was asked to propose an architecture for harbor in my company. I proposed at first to use an architecture based on proxy cache. But the CISO refused to use proxy cache for the entreprise without saying why. I proposed anoter architecture based on replication. We validate some base images that are pulled from public registries and pushed into our harbor registry ( One active harbor that pulls the images from internet and another passive harbor for high avalibility + 4 other harbors that leaves in special network zones (they get the images form the master harbor)).

The question is why the ciso refused the use of proxy cache ? is there any drawbacks for using it ? what are the security risks that can appear using the harbor proxy cache vs replication ? I cant find in the internet clear informations about this question. It seems that the majority is using proxy cache.

Thank you!

At this stage one can only speculate, about the unprofessional behavior of not explaining the reasons and also for not asking.

Regarding Harbor proxy and replication, the main difference between both option is the difference of threat surface and its control.

Proxy

• Passive, forwards requests upstream if not found locally.
• No control,

Replication

• Active, explicitly specify the images you want to copy from upstream
• Full control