Kubernetes is quickly becoming the de facto operating system for the cloud. It delivers common APIs and services for running software distributed on modern cloud based infrastructure. With strong support from all cloud technology mega-players, it has already been adopted by thousands of cloud based software projects. This is great! Right?
Setting up a Kubernetes service has become relatively easy, whether it be on-premise or in public cloud services. However, establishing a validated container registry solution to ensure the software supply chain is secure isn’t easy. There are many solutions when it comes to a container registry, and choosing a solution that meets enterprise requirements is challenging. The right solution needs to be able to validate, comply, automate and organize the images and workloads securely.
First, organizations need to identify whether they want a private or public registry. Generally speaking, public repositories make sense for individuals and small teams that want to get up and running relatively quickly. That being said, public repositories do not have security features such as privacy and access control, making it impossible for them to meet enterprise requirements.
Organizations that want to scale their container initiatives require a private container registry that meets enterprise standards. The solution needs to be able to scan for vulnerabilities, ensure role-based access control management, optimize for automation, and support various authentication systems.
Container registries play a crucial role in any container management strategy. In this blog, I will address the different types of container registries and how to select one to meet enterprise requirements.
Public vs Private Registries
Although adopting an image registry may seem straightforward, not all registry solutions are built equally, and they offer significant differences. Let’s take a look at the most commonly used registry types: public and private registries.
Public Registries
Public registries like Docker Hub are a common solution for many container management strategies. Public solutions are quite basic and easy to use, and small teams and organizations can begin to leverage public registries to get up and running relatively quickly. The caveat to this is when you begin to scale and share images among thousands of developers and locations. Public registries have only basic functionality and do not work well when trying to meet enterprise needs and requirements. As use of the registry grows, images become more vulnerable and become a security issue. This is where public solutions may begin to fall short of expectations.
With the recent news of Log4J’s security vulnerabilities, scanning your images for vulnerabilities is more important than ever. However, the majority of public registry solutions do not have the capability to scan images for vulnerabilities and thus do not meet enterprise requirements. Lately, public cloud providers are not foolproof. As the data suggests, public clouds are not invisible and outages will occur. Enterprises that need to meet regulatory requirements require a fool-proof solution.
Private Registries
Private registries are usually the go-to solution for secure enterprise container management strategies and for good reason. As mentioned above, public registries rarely meet enterprise requirements and are susceptible to many vulnerabilities. Enterprises need a private registry solution that meets all use-cases.
Evaluating the right container registry solution is never easy; the solution needs to meet several use cases. The most robust private registries can secure the software supply chain, store and manage images, and meet governance and compliance requirements.
Now that we understand public and private registries, let’s go into depth on what to look for when evaluating a container registry solution.
Critical Container Registry Features
There are numerous use cases to look for when evaluating a container registry solution. One of the most important features to look for is mirroring policies for a repository.
When an image gets pushed to a repository and meets the mirroring criteria, the registry will automatically push it to a repository in a remote registry. The most robust container registry solution should meet each of these use cases, securing the software supply chain, storing and managing images and meet governance and compliance requirements.
Below, I will quickly showcase each feature needed to meet all three of the above use case requirements.
Enterprise Grade Registry Features
- Access Control
- IDM integration and Role-based access control to ensure strict access controls
- Image Scanning
- Gain visibility into security vulnerabilities in images
- Image Storage
- Securely store images and make them available to all developers
- Cache & Monitoring
- Put images right where they are needed
- Policy & Promotion
- Enforce security controls with promotion policies
- Image Lifecycle
- Automatically manage images based on policy
- Image Signing
- Verify image authenticity before running
Each of the features listed above in compass everything needed to secure the software supply chain, ensure the images are stored securely, and meet compliance requirements. Evaluating and selecting the correct container registry solution is a critical component of any container management strategy.
Final Thoughts:
Getting started with a container registry in order to secure the software supply chain is a must. With the various types of registries currently available, teams and organizations need to understand which use case fits them best. From an enterprise perspective, security and policy management controls play a vital role in selecting the correct container registry. Smaller teams may opt for a public registry in order to move quickly. Below you will find a list of container registry solutions that you can get started with today.
Container Registry Solutions:
- Mirantis Secure Registry (formerly Docker Trusted Registry) Enterprise grade container registry is built to securely share, store and deploy container software anywhere.
- Amazon Elastic Container Registry Easily store, share, and deploy your container software anywhere
- Google Container Registry Store, manage, and secure your Docker container images
Top comments (0)