Securing your connection to Container Registry

You can use private network connections to securely route your data in IBM Cloud® Container Registry.

If you use cloud-based services for production workloads, you can use a secure private connection so that you can ensure that you adhere to any compliance regulations. You can use IBM Cloud service endpoints to connect to IBM Cloud services over the private IBM Cloud network.

Service endpoints make it easier to securely route network traffic between different IBM Cloud services and your registry over the private IBM Cloud network. This network routing ensures that your data doesn't go over the public internet.

To learn more about IBM Cloud service endpoints, see Secure access to services by using service endpoints.

Using private network connections

You must set up your account with the correct authority so that you can set up a private network connection for pushing and pulling images.

IBM Cloud Container Registry is a multi-tenant offering and you are, therefore, not required to create your own service endpoints to connect to the registry over private connections.

Enabling service endpoint support for the account

To connect to IBM Cloud services over a private network, you must meet the following criteria.

You must be able to access the classic infrastructure.
You must enable virtual routing and forwarding (VRF) and connectivity to service endpoints for your account.
You must also have a billable account.

To enable your IBM Cloud account to use virtual routing and forwarding (VRF) and service endpoints, see Enabling VRF and service endpoints.

Considerations for private network connections

Private domain names aren't used by the container-registry CLI plug-in. If you push an image on the private domain name, and then use the CLI on a public connection to run the ibmcloud cr images command, the image is listed with all the other images that have the same public domain name.
If you have private IBM Cloud Kubernetes Service clusters, you aren't required to change anything. IBM Cloud Kubernetes Service already modifies the connection, which is referenced by the public domain name, to use a private connection. This behavior is unchanged.
- If you use IBM Cloud Kubernetes Service, you can optionally reference your images from private clusters by using the private registry domain name. However, you must create more imagePullSecrets for the extra domain names, see Understanding how to authorize your cluster to pull images from a registry.
Pull traffic is not charged for image pulls that use private connections.
If you use image signing and want to use the private domain names, you must re-sign any images that you already have because the domain name forms part of the signed artifact.

Pushing and pulling images

Private connections are available so that you can push and pull images. You use the same icr.io domain name, with the prefix private., see Regions.

You can't use private connections for image management operations by using the IBM Cloud Container Registry CLI.

Run the docker login command to authenticate with your registry. Replace <apikey> with your API keyA unique code that is passed to an API to identify the calling application or user. An API key is used to track and control how the API is being used, for example, to prevent malicious use or abuse of the API. and <private_registry_domain> with the private domain name where your namespaces are set up. The private domain names are described in Regions.

docker login -u iamapikey -p <apikey> <private_registry_domain>

IBM Cloud Container Registry supports other clients as well as Docker. To log in by using other clients, see Accessing your namespaces in automation.

For more information, see Automating access to IBM Cloud Container Registry.

Enforcing access to your account

You can prevent image pulls or pushes from IP addresses outside of certain network zones, including VPCs and private networks, by using IAM context-based restrictions.