A container registry is a collection of repositories made to store container images. A container image is a file comprised of multiple layers which can execute applications in a single instance. During the application development process, developers should have access to all the container images needed for an application. Hosting all the images in one stored location allows users to commit, identify and pull images when needed.
A user can act as a host for a container image by placing an image into a container registry for others to use. If an organization is hosting a native cloud application, then utilizing a container registry may be a good idea.
Repository vs. registry
The terms repository and registry may be easily confused when talking about containers. A container repository is used to store related images for setup and deployment. Container repositories can be used to manage, pull or push images. Container registries store multiple repositories of container images, as well as storing API paths and access control rules. Container registries also have to option of being hosted publicly or privately.
Public and private registries
Public container registries are generally the faster and easier route when initiating a container registry. They are ideal for smaller teams that can take more advantage from incorporating standard and open-sourced images from public registries. Public registries are also seen to be easier to use; however, they may also be less secure than private registries.
A private registry is a container registry that is set up by the organization utilizing it. Private registries are either hosted or on-premise and are typically used by a larger organization or enterprise that is more set on using a container registry. Having complete control over the registry in development allows an organization more freedom in how they choose to manage it. This is why private registries are seen to be the more secure route when it comes to implementing a container registry, as an organization can apply as many security measures as they feel needed.
Public containers are seen as less secure because individual container images may contain malicious or outdated code which, if goes unpatched, could lead to a data breach. It may also be unknown who has read or write access to an image.
If an organization’s priority is security when it comes to container registries, then the first move to make should be to implement a private registry. Other security approaches to container registries include:
- Assigning role-based access control (RBAC).
- Scaning for vulnerabilities in images.
- Digitally signing images to ensure each image is trusted.
- Using authentication methods such as access tokens or JSON key files similar to how Google’s container registry works.
- Using Identity and Access Manager (IAM) settings, like how IBM’s Cloud Container Registry does.