| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-05-09 |
private DNS, isolation for IBM Cloud Container Registry, service endpoints for IBM Cloud Container Registry, private network for IBM Cloud Container Registry, network isolation in IBM Cloud Container Registry, non-public routes for IBM Cloud Container Registry, private connection for IBM Cloud Container Registry, private network, image, connection, service endpoint, account, services |
Registry |
{{site.data.keyword.attribute-definition-list}}
{: #registry_private}
You can use private network connections to securely route your data in {{site.data.keyword.registrylong}}. {: shortdesc}
If you use cloud-based services for production workloads, you can use a secure private connection so that you can ensure that you adhere to any compliance regulations. You can use {{site.data.keyword.cloud_notm}} service endpoints to connect to {{site.data.keyword.cloud_notm}} services over the private {{site.data.keyword.cloud_notm}} network.
Service endpoints make it easier to securely route network traffic between different {{site.data.keyword.cloud_notm}} services and your registry over the private {{site.data.keyword.cloud_notm}} network. This network routing ensures that your data doesn't go over the public internet.
To learn more about {{site.data.keyword.cloud_notm}} service endpoints, see Secure access to services by using service endpoints.
{: #registry_private_images}
You must set up your account with the correct authority so that you can set up a private network connection for pushing and pulling images.
{{site.data.keyword.registrylong_notm}} is a multi-tenant offering and you are, therefore, not required to create your own service endpoints to connect to the registry over private connections.
{: #registry_private_images_endpoints}
To connect to {{site.data.keyword.cloud_notm}} services over a private network, you must meet the following criteria.
- You must be able to access the classic infrastructure.
- You must enable virtual routing and forwarding (VRF) and connectivity to service endpoints for your account.
- You must also have a billable account.
To enable your {{site.data.keyword.cloud_notm}} account to use virtual routing and forwarding (VRF) and service endpoints, see Enabling VRF and service endpoints.
{: #registry_private_images_considerations}
-
Private domain names aren't used by the
container-registryCLI plug-in. If you push an image on the private domain name, and then use the CLI on a public connection to run theibmcloud cr imagescommand, the image is listed with all the other images that have the same public domain name. -
If you have private {{site.data.keyword.containerlong_notm}} clusters, you aren't required to change anything. {{site.data.keyword.containerlong_notm}} already modifies the connection, which is referenced by the public domain name, to use a private connection. This behavior is unchanged.
- If you use {{site.data.keyword.containerlong_notm}}, you can optionally reference your images from private clusters by using the private registry domain name. However, you must create more
imagePullSecretsfor the extra domain names, see Understanding how to authorize your cluster to pull images from a registry.
- If you use {{site.data.keyword.containerlong_notm}}, you can optionally reference your images from private clusters by using the private registry domain name. However, you must create more
-
Pull traffic is not charged for image pulls that use private connections.
-
If you use image signing and want to use the private domain names, you must re-sign any images that you already have because the domain name forms part of the signed artifact.
{: #registry_private_images_push}
Private connections are available so that you can push and pull images. You use the same icr.io domain name, with the prefix private., see Regions.
You can't use private connections for image management operations by using the {{site.data.keyword.registrylong_notm}} CLI. {: note}
Run the docker login command to authenticate with your registry. Replace <apikey> with your API key{: term} and <private_registry_domain> with the private domain name where your namespaces are set up. The private domain names are described in Regions.
docker login -u iamapikey -p <apikey> <private_registry_domain>{: pre}
{{site.data.keyword.registrylong_notm}} supports other clients as well as Docker. To log in by using other clients, see Accessing your namespaces in automation. {: tip}
For more information, see Automating access to {{site.data.keyword.registrylong_notm}}.
{: #registry_private_account}
You can prevent image pulls or pushes from IP addresses outside of certain network zones, including VPCs and private networks, by using IAM context-based restrictions.