Skip to main content

Key concepts

Access permissions

Access permissions for the Container Registry service differ depending on whether a user belongs to the project.

Users belonging to the project

The Container Registry service follows the IAM permission model. Users with the IAM role of project admin or project member are automatically granted the Container Registry admin role.
Users with the Container Registry admin role have access to all repositories and images created within the project and can push (upload) and pull (download) images.

Users not belonging to the project

Users who belong to the same organization but not to the project can be granted repository member or repository viewer roles.
However, such users can only access repositories via tools like Docker CLI using access credentials—they cannot access through the console.
If access is needed regardless of organization or project, a public repository must be created.

Repository access permissions

Repository roleDescription
Repository memberCan push and pull images
Repository viewerCan only pull images
info

For more details on permission settings, refer to Configure repository permission.

Manage image/tag history

Provides detailed image history and tag tracking features. Users can track actions, review tag usage history, and recover deleted tags to support lifecycle planning.
For more information, refer to Manage image.

Secure private repository

Provides a secure, private container image storage service for managing container images on a per-repository basis.
With IAM integration, user authentication is enforced, and push/pull permissions can be granted per repository.

Repository management in console

A repository is a storage unit for container images. At least one repository is required to upload and manage images in the Container Registry.
Repositories can be created and managed via the console (web browser). For more details, refer to Manage repository.

Visibility settings

For KakaoCloud authenticated users, a repository can be set to public so that anyone who knows the URI can pull images without additional authentication.

Console-based image management

Docker container images are packages that include everything required to run an application: code, runtime, system tools, and libraries.
Container Registry is based on Docker and supports image management through a console-based interface.
For more details, refer to Manage image.

Push/pull image

Push and pull permissions can be controlled per user account.

  • Push uploads an image to the Container Registry
  • Pull downloads the image to a target server

These are fundamental operations of the Container Registry.
For more information, refer to Push/pull image.

Tag management in console

A tag is a label that can be applied to a specific version of an image. Multiple tags can be assigned to a single image.
Container Registry allows tag management through the console. For more details, see Manage tag.

Image URI structure

The image URI is structured as follows:
https://{project ID}.{region}.kcr.dev/{repository name}/{image name}:{tag name}

Vulnerability analysis

Detect vulnerabilities in stored or incoming images using a continuously updated vulnerability database. This helps ensure image security before deployment.
You can also configure alert notifications to receive scan results via email or Kakao Work (upcoming support).

Image scan

Container Registry supports daily image scans using Trivy, an open-source vulnerability scanner from Aquasecurity.
It identifies security issues based on the CVE (Common Vulnerabilities and Exposures) database and provides results in list format.
For more information, see Scan image (vulnerability analysis).

Auto scan

You can enable automatic scanning when creating a repository or modifying scan settings of an existing one.
Manual scanning is also available if needed.
For more details, refer to Auto scan image.

Resource quota

Container Registry enforces service quotas on repositories, images, and tags. Items that exceed quota limits cannot be added.

Quota
Resource typeScopeQuota
RepositoryPer project1,000
ImagePer repository10,000
TagPer image1,000

Garbage collection

To manage storage usage, Container Registry supports garbage collection.
When run, it deletes layer data from manifests that are not referenced by any images.