Container Registry
Managed OCI-compatible registry with role-based access, HTTPS endpoints, and Kubernetes-native pull secret integration.
Pricing
Container Registry uses storage-based pricing via Container Registry Storage SKUs. Capacity scales with your retained image layers, tags, and pull patterns.
Loading SKUs...
Managed container registry,
built for OCI workflows.
Container Registry gives each organization an isolated, HTTPS endpoint for storing and distributing OCI images with standard Docker Registry API V2 semantics.
It works with Docker CLI, Podman, Buildah, and CI pipelines without custom tooling. Teams use the same push and pull flows while centralizing access control, auditability, and image lifecycle operations.
Public and private registry modes are supported, with organization-wide role mapping and Kubernetes-native pull secret integration for workload deploys.
Gateway-routed HTTPS endpoints,
JWT identity and isolated storage.
Each registry gets a per-organization endpoint (for example, myregistry.hyd.cr.tower.cloud) with TLS termination via Kubernetes Gateway API and DNS-based HTTPRoute routing.
Authentication uses JWT from the platform identity provider, mapped to organization roles. Docker CLI login uses Basic auth compatibility for seamless local and CI usage.
Repositories are isolated per registry with strict content-type validation, overwrite-tag write policy, and structured logging plus OpenTelemetry tracing for API and lifecycle operations.
What you get on Day One
OCI-compatible registry workflows with built-in auth, secure networking, and organization-level access controls.
OCI-compatible protocol
Docker Registry HTTP API V2 support for Docker CLI, Podman, Buildah, and OCI tooling.
Role-based access
Owner, Admin, Developer, Reader, and anonymous (public-only pull) permissions mapped at organization scope.
Public and private modes
Create anonymous-pull public registries or fully authenticated private registries with pull-secret support.
Gateway networking
HTTPS-only access with dedicated port mapping, HTTPRoute-based routing, TLS cert management, and rate limiting.
Configuration & Platform Details
A concise reference for architecture reviews, security questionnaires, and platform integration planning.
Technical reference
Protocol compatibility, authentication, security controls, and access model for managed container registries.
- Protocol
- Docker Registry HTTP API V2. Compatible with Docker CLI, Podman, Buildah, and all OCI-compliant tools.
- Access
- Per-organization HTTPS endpoint with custom domain (e.g., myregistry.hyd.cr.tower.cloud). TLS termination via Gateway API.
- Authentication
- JWT-based via platform identity provider. Role-based access mapped from organization roles. Basic auth for Docker CLI login.
- Public registries
- Anonymous pull access without credentials. Push still requires authenticated owner/admin/developer role.
- Private registries
- All operations require authentication. Pull credentials stored as Kubernetes secrets for seamless pod integration.
- Storage
- Images stored in isolated hosted repositories per registry. Strict content type validation enforced. Write policy: allow (overwrite tags supported).
- Networking
- HTTPS-only. Each registry gets a unique port mapping and HTTPRoute for DNS-based routing. Kubernetes Gateway API with TLS certificate management.
- Security
- Rate limiting (500 requests per 10 minutes per IP). Security headers via Helmet. CORS configurable. Namespace-level network isolation.
- Monitoring
- OpenTelemetry tracing enabled. Structured JSON logging for all API and lifecycle operations.
- Role-based access
- All roles are organization-wide — granting a role gives access to all registries within that organization.
- Owner
- Push images: Yes. Pull images: Yes. Create registries: Yes. Delete registries: Yes. Browse images: Yes.
- Admin
- Push images: Yes. Pull images: Yes. Create registries: Yes. Delete registries: Yes. Browse images: Yes.
- Developer
- Push images: Yes. Pull images: Yes. Create registries: Yes. Delete registries: Yes. Browse images: Yes.
- Reader
- Push images: No. Pull images: Yes. Create registries: No. Delete registries: No. Browse images: Yes.
- Anonymous (public only)
- Push images: No. Pull images: Yes. Create registries: No. Delete registries: No. Browse images: No.
- Create registry
- One-click creation with automatic HTTPS endpoint, TLS certificate, pull secret, and role setup. Public or private.
- Delete registry
- Full cascade cleanup — removes repository, roles, privileges, networking routes, and Kubernetes secrets.
- Browse images
- View all images, tags, sizes, and folder structure within a registry via API.
- Get credentials
- Retrieve Docker login credentials for CLI access. Pull secrets available as Kubernetes-native dockerconfigjson format.
- Multiple registries
- Organizations can create multiple registries. All share organization-wide role-based access.