Google Container Registry

  • Container Registry is a container image repository to manage Docker images, perform vulnerability analysis, and define fine-grained access control.

Features

  • Automatically build and push images to a private registry when you commit code to Cloud Source Repositories, GitHub, or Bitbucket.
  • You can push and pull Docker images to your private Container Registry utilizing the standard Docker command-line interface.
  • The system creates a Cloud Storage bucket to store all of your images the first time you push an image to Container Registry
  • You have the ability to maintain control over who can access, view, or download images.

Pricing

  • Container Registry charges for the following:
    • Storing images on Cloud Storage
    • Network egress for containers stored in the registry.
  • IT Certification Category (English)728x90
  • Network ingress is free.
  • If the Container Scanning API is enabled in either Container Registry, vulnerability scanning is turned on and billed for both products.

Validate Your Knowledge

Question 1

Your company stores all of its container images on Google Container Registry in a project called td-devops. The development team created a Google Kubernetes Engine (GKE) cluster on a separate project and needs to download container images from the td-devops project.

What should you do to ensure that Kubernetes can download the images from Container Registry securely?

  1. In the td-devops project, assign the Storage Object Viewer IAM role to the service account used by the GKE nodes.
  2. Upon creating the GKE cluster, set the Access Scopes setting under Node Security to Allow Full Access to all Cloud APIs.
  3. Generate a P12 key for a new service account. Use the generated key as an imagePullSecrets in Kubernetes to access the private registry.
  4. In the Google Cloud Storage, configure the ACLs on each container image stored and provide read-write access to the service account used by the GKE nodes.

Correct Answer: 1

Container Registry uses Cloud Storage buckets as the underlying storage for container images. You control access to your images by granting appropriate Cloud Storage permissions to a user, group, service account, or other identity.

Cloud Storage permissions granted at the project level apply to all storage buckets in the project, not just the buckets used by Container Registry. To configure permissions specific to Container Registry, grant permissions on the storage bucket used by the registry. Container Registry ignores permissions set on individual objects within the storage bucket.

https://media.tutorialsdojo.com/google_cloud_storage_object_viewer_service_account.PNG

Hence, the correct answer is: In the td-devops project, assign the Storage Object Viewer IAM role to the service account used by the GKE nodes. We can further improve this by limiting the access to the specific bucket, which is used by the GCR to store the container images.

The option that says: Upon creating the GKE cluster, set the Access Scopes setting under Node Security to Allow Full Access to all Cloud APIs is incorrect because this does not give permissions to access Container Registry images on a different project. GKE nodes by default are configured with appropriate permissions to push or pull images from a Container Registry storage bucket but only on the same project.

The option that says: Generate a P12 key for a new service account. Use the generated key as an imagePullSecrets in Kubernetes to access the private registry is incorrect because it is not possible to authenticate using P12 keys in GCR. Rather, you can use JSON keys, access tokens, standalone and gcloud credential helpers. Using these authentication methods are best for accessing GCR images from a non-GKE environment.

The option that says: In the Google Cloud Storage, configure the ACLs on each container image stored and provide read-write access to the service account used by the GKE nodes is incorrect because GCR ignores ACL permissions set on individual objects therefore, this is not a suitable solution. Instead, you have to assign the Storage Object Viewer IAM role to the service account used by the GKE nodes.

References:
https://cloud.google.com/container-registry/docs/access-control
https://cloud.google.com/container-registry/docs/advanced-authentication#methods

Note: This question was extracted from our Google Certified Associate Cloud Engineer Practice Exams.

For more Google Cloud practice exam questions with detailed explanations, check out the Tutorials Dojo Portal:

Google Certified Associate Cloud Engineer Practice Exams

Reference:
https://cloud.google.com/container-registry

Pass your AWS and Azure Certifications with the Tutorials Dojo Portal

Tutorials Dojo portal

Our Bestselling AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate Practice Exams

Enroll Now – Our AWS Practice Exams with 95% Passing Rate

AWS Practice Exams Tutorials Dojo

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

Tutorials Dojo Study Guide and Cheat Sheets-2

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers
error: Content is protected !!