Key Concepts
Access permissions
The access permissions for Container Registry are distinguished between users who belong to the project and those who do not belong to the project.
Users belonging to the project
Container Registry follows the IAM permissions scheme. If your IAM role is Project Admin or Project Member, you are automatically granted the Container Registry Admin role. Users with the Container Registry Admin role have access to all repositories and images created within the project, and can push and pull images.
User not belonging to the project
Users who belong to the same organization but are not part of the specific project can still be granted Repository Member or Repository Viewer permissions. However, users not associated with the project can access the repository through tools such as Docker CLI but cannot access it via the console. If a repository needs to be accessible regardless of the organization, a public repository must be created.
Repository access permissions
| Repository access permissions | Description |
|---|---|
| Repository member | Push and pull operations on images are possible |
| Repository Viewer | Only image pull operations are possible |
For details regarding permission settings, please refer to Configure repository permission.
Image/Tag history management
Container Registry provides detailed image history management and tag history management functions. Users can plan the use of images by utilizing image management functions such as tracking information by action, tag usage history, and recovery. For detailed instructions, please refer to Manage image.
Secure private repository
Container Registry provide a private container image repository to safely store container images and manage them by repository. Through IAM integration, you can authenticate KakaoCloud users and manage permissions to push/pull images for each repository.
Repository management in console
A repository is a storage space for storing images, and one or more repositories are required to upload and manage images to Container Registry.
You can create and manage repositories in the KakaoCloud console. For details, please refer to Manage repository.
Visibility settings
Authenticated users can set up images in the repository to be pulled by anyone who knows the URI without separate authentication.
Console-based image management
A Docker container image is a package that contains everything needed to run an application: code, runtime, system tools, and system libraries. Container Registry is based on Docker, and can manage Docker container images based on the console (web browser). For detailed instructions, refer to Manage image.
Image Push/Pull
Push/Pull permissions for images can be controlled for each account. Push exports (uploads) the image to Container Registry, and Pull imports (downloads) the image to the target server. This is the most basic Container Registry operation.
For details, please refer to Push/Pull images.
Tag management in console
A tag is a label that can be applied to a specific version of an image. You can add multiple tags to an image. You can manage tags in the KakaoCloud console.
Image URI structure
The image URI structure consists of https://{project unique ID}.{region}.kcr.dev/{repository name}/{image name}:{tag name}.
Vulnerability analysis
You can detect vulnerabilities in images stored in the repository or images to be uploaded to the repository. By utilizing this continuously updated vulnerability database, you can check whether the image is safe before distribution. Additionally, you can receive vulnerability analysis results via email or Kakao Work (to be supported) by setting up notifications.
Image scan
Container Registry can scan images once a day, and the image scan function uses Trivy from Aquasecurity, an open source container vulnerability scanner, to identify security vulnerabilities based on Common Vulnerabilities and Exposures (CVE) and provide the scan results in a list format. . For detailed instructions, please refer to Scan image(Vulnerability analysis).
Auto scan
You can set up an automatic scan to run when an image is pushed by creating a new repository or in the Image Scan Settings section of an existing repository. If necessary, you can also set up manual scanning instead of automatic. For detailed instructions, please refer to Auto-scan image.
Resource quota
Resource service quota information for repositories, images, and tags supported by Container Registry is as follows: Items that exceed the quota value can no longer be added.
Quota
| Item | Standards | Quota value |
|---|---|---|
| Repository | Per project | 1,000 |
| image | Per repository | 10,000 |
| Tags | Per image | 1,000 |
Garbage collection
Garbage collection is provided to manage storage usage. Running garbage collection can delete layer data in the manifest that does not have referenced images.