Container Registry
Managed OCI-compatible registry with role-based access, HTTPS endpoints, and Kubernetes-native pull secret integration.
Why teams use it
Managed OCI-compatible registry with role-based access and HTTPS endpoints.
Tower Registry exposes Docker Registry HTTP API V2 and OCI-compatible storage with HTTPS endpoints, JWT identity, Docker CLI login, roles, and Kubernetes-native pull secrets.
Gateway-routed HTTPS endpoints, JWT identity and isolated storage.
Each registry gets a per-organization endpoint (for example, myregistry.hyd.cr.tower.cloud) with TLS termination via Kubernetes Gateway API and DNS-based HTTPRoute routing.
Authentication uses JWT from the platform identity provider, mapped to organization roles. Docker CLI login uses Basic auth compatibility for seamless local and CI usage.
Repositories are isolated per registry with strict content-type validation, overwrite-tag write policy, and structured logging plus OpenTelemetry tracing for API and lifecycle operations.
What you get on Day One
OCI-compatible registry workflows with built-in auth, secure networking, and organization-level access controls.
OCI-compatible protocol
Docker Registry HTTP API V2 support for Docker CLI, Podman, Buildah, and OCI tooling.
Role-based access
Owner, Admin, Developer, Reader, and anonymous (public-only pull) permissions mapped at organization scope.
Public and private modes
Create anonymous-pull public registries or fully authenticated private registries with pull-secret support.
Gateway networking
HTTPS-only access with dedicated port mapping, HTTPRoute-based routing, TLS cert management, and rate limiting.
Configuration & Platform Details
A concise reference for architecture reviews, security questionnaires, and platform integration planning.
Technical reference
- Protocol
- Docker Registry HTTP API V2. Compatible with Docker CLI, Podman, Buildah, and all OCI-compliant tools.
- Access
- Per-organization HTTPS endpoint with custom domain (e.g., myregistry.hyd.cr.tower.cloud). TLS termination via Gateway API.
- Authentication
- JWT-based via platform identity provider. Role-based access mapped from organization roles. Basic auth for Docker CLI login.
- Public registries
- Anonymous pull access without credentials. Push still requires authenticated owner/admin/developer role.
- Private registries
- All operations require authentication. Pull credentials stored as Kubernetes secrets for seamless pod integration.
- Storage
- Images stored in isolated hosted repositories per registry. Strict content type validation enforced. Write policy: allow (overwrite tags supported).
- Networking
- HTTPS-only. Each registry gets a unique port mapping and HTTPRoute for DNS-based routing. Kubernetes Gateway API with TLS certificate management.
- Security
- Rate limiting (500 requests per 10 minutes per IP). Security headers via Helmet. CORS configurable. Namespace-level network isolation.
- Monitoring
- OpenTelemetry tracing enabled. Structured JSON logging for all API and lifecycle operations.
- Role-based access
- All roles are organization-wide, granting a role gives access to all registries within that organization.
Pricing
Loading SKUs...