diff --git a/app/registry/prod.jsonnet b/app/registry/prod.jsonnet
index 65b24130..a7e1f5e5 100644
--- a/app/registry/prod.jsonnet
+++ b/app/registry/prod.jsonnet
@@ -144,7 +144,15 @@ local cm = import "../../cluster/kube/lib/cert-manager.libsonnet";
                     token_db: "/data/oauth2_tokens.ldb",
                     registry_url: "https://registry.k0.hswaw.net",
                 },
+                users: {
+                    [""]: {}, // '' user are anonymous users.
+                },
                 acl: [
+                    {
+                        match: {account: "/(q3k|inf)/", name: "vms/*"},
+                        actions: ["*"],
+                        comment: "q3k and inf can mange 'vms' docker images",
+                    },
                     {
                         match: {account: "/.+/", name: "${account}/*"},
                         actions: ["*"],
@@ -156,9 +164,9 @@ local cm = import "../../cluster/kube/lib/cert-manager.libsonnet";
                         comment: "Logged in users can query the catalog.",
                     },
                     {
-                        match: {account: "/.+/"},
+                        match: {account: ""},
                         actions: ["pull"],
-                        comment: "Logged in users can pull all images.",
+                        comment: "Anyone can pull all images.",
                     },
                 ],
             }),