Key concepts
Access permissions
Access permissions for the Container Registry service differ depending on whether a user belongs to the project.
Users belonging to the project
The Container Registry service follows the IAM permission model. Users with the IAM role of project admin or project member are automatically granted the Container Registry admin role.
Users with the Container Registry admin role have access to all repositories and images created within the project and can push (upload) and pull (download) images.
Users not belonging to the project
Users who belong to the same organization but not to the project can be granted repository member or repository viewer roles.
However, such users can only access repositories via tools like Docker CLI using access credentials—they cannot access through the console.
If access is needed regardless of organization or project, a public repository must be created.
Repository access permissions
Repository role | Description |
---|---|
Repository member | Can push and pull images |
Repository viewer | Can only pull images |
For more details on permission settings, refer to Configure repository permission.
Manage image/tag history
Provides detailed image history and tag tracking features. Users can track actions, review tag usage history, and recover deleted tags to support lifecycle planning.
For more information, refer to Manage image.
Secure private repository
Provides a secure, private container image storage service for managing container images on a per-repository basis.
With IAM integration, user authentication is enforced, and push/pull permissions can be granted per repository.
Repository management in console
A repository is a storage unit for container images. At least one repository is required to upload and manage images in the Container Registry.
Repositories can be created and managed via the console (web browser). For more details, refer to Manage repository.
Visibility settings
For KakaoCloud authenticated users, a repository can be set to public so that anyone who knows the URI can pull images without additional authentication.
Console-based image management
Docker container images are packages that include everything required to run an application: code, runtime, system tools, and libraries.
Container Registry is based on Docker and supports image management through a console-based interface.
For more details, refer to Manage image.
Push/pull image
Push and pull permissions can be controlled per user account.
- Push uploads an image to the Container Registry
- Pull downloads the image to a target server
These are fundamental operations of the Container Registry.
For more information, refer to Push/pull image.
Tag management in console
A tag is a label that can be applied to a specific version of an image. Multiple tags can be assigned to a single image.
Container Registry allows tag management through the console. For more details, see Manage tag.
Image URI structure
The image URI is structured as follows:
https://{project ID}.{region}.kcr.dev/{repository name}/{image name}:{tag name}
Vulnerability analysis
Detect vulnerabilities in stored or incoming images using a continuously updated vulnerability database. This helps ensure image security before deployment.
You can also configure alert notifications to receive scan results via email or Kakao Work (upcoming support).
Image scan
Container Registry supports daily image scans using Trivy, an open-source vulnerability scanner from Aquasecurity.
It identifies security issues based on the CVE (Common Vulnerabilities and Exposures) database and provides results in list format.
For more information, see Scan image (vulnerability analysis).
Auto scan
You can enable automatic scanning when creating a repository or modifying scan settings of an existing one.
Manual scanning is also available if needed.
For more details, refer to Auto scan image.
Resource quota
Container Registry enforces service quotas on repositories, images, and tags. Items that exceed quota limits cannot be added.
Quota
Resource type | Scope | Quota |
---|---|---|
Repository | Per project | 1,000 |
Image | Per repository | 10,000 |
Tag | Per image | 1,000 |
Garbage collection
To manage storage usage, Container Registry supports garbage collection.
When run, it deletes layer data from manifests that are not referenced by any images.