- Container Registry is a container image repository to manage Docker images, perform vulnerability analysis, and define fine-grained access control.
- Automatically build and push images to a private registry when you commit code to Cloud Source Repositories, GitHub, or Bitbucket.
- You can push and pull Docker images to your private Container Registry utilizing the standard Docker command-line interface.
- The system creates a Cloud Storage bucket to store all of your images the first time you push an image to Container Registry
- You have the ability to maintain control over who can access, view, or download images.
- Container Registry charges for the following:
- Storing images on Cloud Storage
- Network egress for containers stored in the registry.
- Network ingress is free.
- If the Container Scanning API is enabled in either Container Registry, vulnerability scanning is turned on and billed for both products.
Validate Your Knowledge
Your company stores all of its container images on Google Container Registry in a project called
td-devops. The development team created a Google Kubernetes Engine (GKE) cluster on a separate project and needs to download container images from the
What should you do to ensure that Kubernetes can download the images from Container Registry securely?
- In the
td-devopsproject, assign the
Storage Object ViewerIAM role to the service account used by the GKE nodes.
- Upon creating the GKE cluster, set the Access Scopes setting under Node Security to
Allow Full Access to all Cloud APIs.
- Generate a P12 key for a new service account. Use the generated key as an
imagePullSecretsin Kubernetes to access the private registry.
- In the Google Cloud Storage, configure the ACLs on each container image stored and provide
read-writeaccess to the service account used by the GKE nodes.