Container Registry

• 1: Overview
• 1.1: Monitoring Metrics
• 1.2: ServiceWatch Metrics
• 2: How-to guides
• 2.1: Manage Repository
• 2.2: Manage Images and Tags
• 2.3: Manage Image Security Vulnerabilities
• 2.4: Manage Image Tag Deletion Policy
• 2.5: Use Container Registry with CLI
• 2.6: Example of Registry and Repository Policies
• 3: API Reference
• 4: CLI Reference
• 5: Release Note

1 - Overview

Service Overview

Container Registry is a service that provides a registry for storing and managing container images and OCI (Open Container Initiative) standard artifacts. Users can easily store, manage, and share images using the Docker CLI.

Features

• Simple registry management and image distribution: You can easily create a container registry for your project on Samsung Cloud Platform. By using the standard Docker CLI, you can easily pull images for deployment from the Container Registry, streamlining development and service deployment workflows.
• Efficient Container Image Storage: You can easily store container images anytime, anywhere. By integrating with Object Storage, you can store and retrieve images, enabling efficient image management. It also supports the Docker Registry V2 API specification for convenient use.
• Enhanced Security Registry Management: You can securely store and use images using Container Registry. Container Registry encrypts images stored in Object Storage and transfers images via HTTPS. Use resource-based IAM policies of Samsung Cloud Platform to set repository-specific access permissions, and you can use images according to the configured permissions.
• Container Image Vulnerability Analysis: Container Registry provides a feature that analyzes security vulnerabilities in stored container images. Users can view vulnerability results through a simple process of selecting and scanning an image, and can identify and remediate vulnerabilities based on the analysis results.

Service Architecture Diagram

Provided features

Container Registry provides the following features.

• Registry Management: Provides Container Registry creation, deletion, registry access control management (private), and visibility features.
• Repository Management: It is created under the Container Registry and provides functions to create, view, delete repositories, and set security policies.
• Image Management: Container images stored in the repository, providing image Push, image Pull, view, delete, applied tag management, and security policy configuration functions.
• Image Vulnerability Assessment: You can manually or automatically scan OS packages and language packages for security vulnerabilities, as well as secrets embedded in images stored in the Container Registry. Based on the scan results, users can identify and remove known vulnerabilities (CVE) and secrets to prevent the use of insecure images.

Component

Registry

The registry is a repository or collection of repositories used to store, access, and manage container images. Container registries can often support container‑based application development as part of the development and operations process. They can connect directly to container orchestration platforms such as Docker and Kubernetes. A registry acts as an intermediary that shares container images between systems, saving developers time in creating and delivering cloud‑native applications. In the case of Samsung Cloud Platform, it is provided in conjunction with Object Storage and transfers images over HTTPS.

repository

A repository is a logical management unit for image tags. Using a repository allows efficient management of image tags. A repository is a centralized virtual storage that developers use to modify and manage application source code. When developing applications, if there is a need to store and share various types of documents and source code, it enables developers to easily collaborate within the same account, edit simultaneously, and track/manage changes.

image

An image refers to something that includes all files and configuration values required to run a container. An image acts like a class that creates containers, and a container can be seen as the program or process that runs the image. For example, an Ubuntu image contains all files needed to run Ubuntu, and a MySQL image contains all files, IDs, passwords, port information, etc., required to run MySQL.

Preliminary Service

Container Registry has no prerequisite services.

1.1 - Monitoring Metrics

Container Registry monitoring metrics

The table below shows the monitoring metrics for Container Registry that can be viewed through Cloud Monitoring. For detailed usage of Cloud Monitoring, see the Cloud Monitoring guide.

1.2 - ServiceWatch Metrics

Container Registry sends metrics to ServiceWatch. The metrics provided by default monitoring are data collected at a 1‑minute interval.

Basic Metrics

The following are the basic metrics for the Container Registry namespace.

The indicators whose names are shown in bold below are the indicators selected as key metrics among the default metrics provided by Container Registry. Key metrics are used to compose the service dashboards that ServiceWatch automatically builds for each service.

Each metric guides users via the user guide on which statistical values are meaningful when viewing that metric, and among the meaningful statistics, the values displayed in bold are the primary statistics. In the service dashboard, you can view key metrics using the primary statistical values.

2 - How-to guides

Users can create a service by entering the required information for the Container Registry service and selecting detailed options through the Samsung Cloud Platform Console.

Create Container Registry

You can create and use the Container Registry service in the Samsung Cloud Platform Console.

Follow these steps to create a Container Registry service.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. Click the Create Registry button on the Service Home page. You will be taken to the Create Registry page.
3. Registry creation page: enter the information required to create a service and select detailed options.
   • Enter or select the required information in the Service Information Input area.

     Category	Required status	Detailed description
     registry name	Required	The registry name created by the user must start with a lowercase English letter and be entered using lowercase English letters and numbers, with a length of 3 to 25 characters
     endpoint	Required	Set access type for registry endpoint Private: Only private endpoint access control items can be set Private&Public: Both private endpoint access control items and public endpoint access control can be set
     Private endpoint access control	Select	Private endpoint access control settings If you select Use, you can configure it so that only specific resources within the same region’s account, such as the registry, can be accessed Click Add for private access allowed resources to add resources that can access the registry using the private endpoint If Use is not selected, access is allowed from resources in all subnets within the same region
     Public endpoint access control	Selection	Public endpoint access control settings If you select Use, you can configure it so that only specific IPs in the same region as the registry can access it. Click Add for the allowed public access IP to add the IPs and resources that can access the registry using the public endpoint. If Use is not selected, access is allowed from resources in all subnets within the same region.
     Visibility	Selection	Anonymous access setting for registry read (Pull) operations Selecting Public allows unauthenticated anonymous users to perform read operations (Anonymous Pull) on all registry content. This setting can be enabled as Public only when creating the service.

     Table. Container Registry Service Information Input Items
     Caution

     • If you do not select the use of private endpoint access control, the customer’s registry may be exposed to other resources within the Samsung Cloud Platform.
     • If you do not select the use of public endpoint access control, external IP access is possible in an internet environment, so the user’s bucket may be exposed externally via the internet. If external access is not required, uncheck the usage checkbox to minimize security threats.
   • In the Additional Information Input area, enter or select the required information.

     Category	Required status	Detailed description
     tag	Selection	Add Tag Up to 50 can be added per resource After clicking the Add Tag button, enter or select Key, Value values

     Table. Container Registry Additional Information Input Fields
4. Check the detailed information and estimated billing amount generated in the Summary panel, and click the Create button.
   • When creation is complete, check the created resource on the Registry list page.

View detailed information of Container Registry

The Container Registry service allows you to view and edit the full list of resources and detailed information. Container Registry Details page consists of Details, Tags, Activity Log tabs.

To view the Container Registry details, follow these steps.

1. Click the All Services > Container > Container Registry menu. You will be taken to the Service Home page of Container Registry.
2. On the Service Home page, click the Registry menu. You will be taken to the Registry List page.
3. On the Registry List page, click the resource (Registry) to view its details. You will be taken to the Registry Details page.
   • Registry Details page displays the Registry’s status information and detailed information, and consists of Details, Tags, Activity Log tabs.

     Category	Detailed description
     Registry status	Registry status Creating: in progress Running: creation complete/operating normally Editing: configuration being changed Terminating: being deleted Error: error occurred Unknown: unknown
     User Guide	Guide to Using a CLI-Based Registry
     Service termination	Button to cancel the service

     Table. Container Registry status information and additional features

Detailed Information

On the Registry list page, you can view detailed information of the selected resource and edit the information if needed.

tag

Registry list page lets you view, add, modify, or delete tag information for the selected resource.

Job History

On the Registry list page, you can view the operation history of the selected resource.

Terminate Container Registry

You can cancel unused Container Registries to reduce operating costs. However, if you cancel the service, any running services may be stopped immediately, so consider the impact of service interruption carefully before proceeding with the cancellation.

To cancel the Container Registry, follow these steps.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. On the Service Home page, click the Registry menu. You will be taken to the Registry List page.
3. Registry List On the page, click the resource (Registry) to view detailed information. You will be taken to the Registry Details page.
4. On the Registry Details page, click Service Cancellation.
5. Click the checkbox to confirm cancellation and enter the Registry name to delete.
6. When you enter the Registry name correctly, the Confirm button becomes active. Click the Confirm button.
7. When termination is complete, check on the Registry list page whether the resource has been terminated.

2.1 - Manage Repository

A repository is a logical management unit for images within a registry. Using a repository, you can set the default security policy for images created underneath.

Creating a Repository

To create a repository, follow these steps.

1. Click the All Services > Container > Container Registry menu. Go to the Service Home page of Container Registry.
2. On the Service Home page, click the Repository menu. You will be taken to the Repository List page.
3. On the Repository list page, click the Create Repository button. You will be taken to the Create Repository page.
   • Repository list At the top of the page, click the Settings icon to select an existing registry, or click Create new to create a registry.
4. On the Repository creation page, enter the required information and select the detailed options.
   • Enter or select the required information in the Service Information Input area.

     Category	Required	Detailed description
     registry name	Required	Select the registry name for creating the repository If no registry has been created, you can create a new one using the Create New button
     Repository name	Required	Repository name to create Enter using lowercase English letters, numbers, and special characters (-) with a length of 3 to 30 characters (the start and end must be lowercase English letters or numbers only)

     Table. Repository Service Information Input Items
   • In the Repository Basic Policy Input area, enter or select the required information.

     Category	Required	Detailed description
     Image scan	option	Automatic scanning of image vulnerabilities generated in the repository and setting scan exclusion policies You can set the default scan policy applied when an image is created in the repository If you set automatic scanning to enabled, the image’s vulnerabilities are automatically checked when the image is pushed. In this case, the vulnerability scanning cost is billed. If you set the scan exclusion policy to enabled, you can specify which inspection targets and vulnerabilities to exclude during image scanning. You can choose to exclude Language Package checks, Secret checks, and vulnerabilities without a Fix Version. Excludable vulnerabilities: you can select one of the following levels (None / Unknown / Negligible / Low / Medium / High / Critical) Exclude vulnerabilities at or below this level
     Image Pull limit	Option	Policy settings for enabling the image Pull restriction feature and its limit values for images generated in the repository You can set the default Pull restriction policy applied when an image is created in the repository If you set the Pull restriction for unscanned images to Enabled, pulling images that have not been vulnerability‑checked is not allowed If you set the Pull restriction policy for vulnerable images to Enabled, pulling an image is prohibited when Critical or High‑level vulnerabilities exceeding the specified values are found. The allowable input and selectable values for this policy are as follows Critical: 1 (default) ~ 9,999,999 High: 1 (default) ~ 9,999,999 Exclude vulnerabilities without a Fix Version When Enabled is selected, vulnerabilities lacking a Fix Version (i.e., when a vulnerable package/library has no patch version) are excluded from the Pull restriction policy
     Image lock status	option	You can set a lock to prevent deletion or updating of all images within the repository When the repository’s image lock status is Lock, the Lock/Unlock functions for individual images in the repository are disabled. Changing the image lock status of a repository that is in Lock state to Unlock enables the Lock/Unlock functions for individual images. Pushing new images is allowed.
     Delete image tags	option	You can set an automatic image deletion policy for images stored in the repository If you select Enabled for deletion policy activation, the image deletion policy is applied. If you set Untagged Image automatic deletion, Old Image automatic deletion items to Enabled, the corresponding image deletion policies are applied. Enter an automatic deletion period in the deletion policy; the image will be automatically deleted after the specified period has elapsed since its initial push. For detailed information on image tag deletion, see Image Tag Deletion Policy Management.

     Table. Repository Default Policy Input Items
   • In the Additional Information Input area, enter or select the required information.

     Category	Required status	Detailed description
     Explanation	Selection	Repository description Enter repository description
     tag	Selection	Add Tag Up to 50 can be added per resource After clicking the Add Tag button, enter or select Key, Value values

     Table. Repository Additional Information Input Items

5. Summary Check the detailed information and estimated billing amount generated in the panel, and click the Create button.
   • Once creation is complete, check the created resources on the Repository List page.

View repository details

Repository service allows you to view and edit the full list of resources and detailed information. The Repository Details page consists of Details, Tags, Activity History tabs.

To view the repository details, follow these steps.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. On the Service Home page, click the Repository menu. You will be taken to the Repository List page.
3. On the Repository List page, click the resource (Repository) to view detailed information. You will be taken to the Repository Details page.
   • Repository Details page displays the repository’s status information and detailed information, and consists of Details, Tags, Activity History tabs.

     Category	Detailed description
     Repository status	Repository status display Active: available state Deleting: deleting state Inactive: state where deletion failed, making it unavailable (only deletion request is possible) Editing: state where settings are being modified or sub-resources (images, tags) within the image are being deleted
     User Guide	Repository usage guide You can check the commands for using images within the repository via CLI
     Delete repository	Button to delete the repository

     Table. Status Information and Additional Functions

Detailed Information

Repository list page lets you view detailed information of the selected resource and edit the information if necessary.

tag

Repository list page allows you to view the tag information of the selected resource, and to add, modify, or delete it.

Job History

On the Repository list page, you can view the operation history of the selected resource.

Delete Repository

To delete a repository, follow these steps.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. Click the Repository menu on the Service Home page. You will be taken to the Repository List page.
3. Repository List page, click the resource (Repository) to view its details. You will be taken to the Repository Details page.
4. On the Repository Details page, click Delete Repository.
5. Delete Repository in the popup window, please enter the Repository name.
6. If you enter the Repository name correctly, the Confirm button becomes active. Click the Confirm button.
7. When the termination is complete, verify on the Repository list page that the resource has been terminated.

2.2 - Manage Images and Tags

An image is a logical management unit of a tag. Users can efficiently manage image versions using tags.

Create Image

To generate an image, the repository must be created first. For detailed information on creating a repository, see Repository Management.

• Images are created by pushing an image or OCI-standard artifact via the CLI using the registry endpoint.
• For instructions on pushing an image with the CLI, refer to the official documentation provided by the client tool you are using or see CLI 사용하기.

View image details

Image can view and edit the entire resource list and detailed information. The Image detail page consists of Details, Tags, Delete Policy Test tabs.

To view the image details, follow these steps.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. On the Service Home page, click the Image menu. You will be taken to the Image List page.
3. Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to view detailed information is stored.
   • If the desired item is not available, click Create New to register a Registry and Repository, then you can select it.
4. On the Image List page, click the resource (Image) to view detailed information. You will be taken to the Image Detail page.
   • Image Details page displays the Image’s status information and detailed information, and consists of Details, Tags, Deletion Policy Test tabs.

     Category	Detailed description
     Image status	Image status representation Active: available state Deleting: deleting state Inactive: state where deletion failed and is not usable (only deletion request is possible) Editing: state where settings are being modified or image sub-resources (tags) are being deleted
     User Guide	CLI-based Image Usage Guide
     Delete Image	Delete image button

     Table. Image status information and additional functions

Detailed Information

Image list page lets you view detailed information of the selected resource and modify it if necessary.

Delete Image

To delete the Image, follow these steps.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. Click the Image menu on the Service Home page. You will be taken to the Image List page.
3. Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to be deleted is stored, respectively.
4. Image List page, click the resource (Image) you want to delete. You will be taken to the Image Details page.
5. On the Image Details page, click the Delete Image button.
6. Image Delete When the popup appears, click the Confirm button.
7. After the deletion is complete, verify on the Image List page that the resource has been deleted.

Check detailed information of image tag

To view detailed information about the image tag, follow these steps.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. On the Service Home page, click the Image menu. You will be taken to the Image List page.
3. Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to view detailed information is stored.
4. Image List page: click the resource (Image) to view detailed information. You will be taken to the Image Details page.
   • Image Details Click the Tags tab to the right of the Details tab at the top of the page. You will be taken to the Tags List page.

     column	Detailed description
     Tags	Tag name of the image Digest A single image Digest can have multiple tag names
     Digest	Image Digest value
     size	Image digest size
     Modification date	Image Digest (Tags) Modification Time
     Inspection date and time	Image Digest (Tags) Vulnerability Check Date and Time
     Vulnerability Assessment Results	Image Digest (Tags) Vulnerability Scan Results Summary of vulnerability count and a button to view scan results are displayed View Results button can be clicked to view detailed vulnerability analysis results for image tags
     status	Status of image Digest (Tags) Active: normal, usable state Deleting: being deleted Inactive: deletion failed, not usable (deletion request only)
     Copy URL	Copy endpoint URL for using image Digest You can copy the private/public endpoint URL to use in commands for image Digest
     More button	Menu for selecting deletion, modification, vulnerability assessment, and detailed usage guide for image Digest (Tags) Delete: Delete the specified image Digest (Tags) Edit Tags: In the tag edit window, you can modify the tag name of the image Digest Vulnerability Scan: Perform vulnerability assessment on image Digest (Tags) Detailed Usage Guide: View a guide for using image Digest (Tags) via CLI Tags Lock: Lock selected image Tags to prevent deletion or updates Tags Unlock: Unlock the lock to allow deletion or updates of selected image Tags

     Table. Tags list items

Detailed Information

Click the Tags of the image Digest whose details you want to view in the Tags list of the Image details. The detail window for the image Digest (Tags) will appear.

• In the tag details window, after reviewing the information and clicking Confirm, the window closes.

Delete image tag

To delete an image tag, follow these steps.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. On the Service Home page, click the Image menu. You will be taken to the Image List page.
3. Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to view detailed information is stored.
4. Image List On the page, click the resource (Image) to view detailed information. Image Details page will be opened.
   • Image Detail page, click the Tags tab to the right of the Details tab at the top of the page. You will be taken to the Tags List page.
5. From the Tags list, select the checkbox located to the left of the tag you want to delete, then click Delete.
   • By selecting the checkboxes of multiple items, you can delete multiple tags at once, and you can select and delete up to 50 tags at a time.
   • You can delete tags one by one by clicking the Delete button inside the More button located at the far right of the tag to be deleted.
6. Delete Tags When the popup window opens, click Confirm.
7. After deletion is complete, check on the Tags list page whether the resource has been removed.

Testing image tag deletion policy

To test the configured image tag deletion policy, follow these steps.

1. All Services > Container > Container Registry menu, click it. Go to the Service Home page of Container Registry.
2. On the Service Home page, click the Image menu. You will be taken to the Image list page.
3. Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to view detailed information is stored.
4. Image List page: click the resource (Image) to view detailed information. You will be taken to the Image Details page.
   • Image Details On the top of the page, click the Delete Policy Test tab to the right of the Details tab. You will be taken to the Delete Policy Test tab page.
5. Delete Policy Test tab page, click the Policy Test button for the Tags item to be deleted. The delete policy test will run.
6. When the delete policy test execution notification popup opens, click the Confirm button.
   • When the test execution request is completed, the phrase Deletion policy test execution request has been completed is displayed.
7. When the deletion policy test is complete, check the test results.
   • Tags to be deleted field displays the image tags (digests) that are subject to the deletion policy.

2.3 - Manage Image Security Vulnerabilities

By using the image security vulnerability scanning feature, you can manually or automatically scan OS package security vulnerabilities in images stored in Container Registry and the Secrets contained within the images. Based on the scan results, users can identify and remove known vulnerabilities (CVE) and Secrets, preventing the use of insecure images.

Vulnerability assessment support information

Supported OS

• The vulnerability scanning feature supports checking libraries installed via the package manager on the following operating systems.

Supported Language

• The vulnerability assessment feature supports checks for the following Language.

Support Secret

• The vulnerability scanning feature supports the following types of Secrets contained in the image.

Checking image security vulnerabilities (manual)

To check image security vulnerabilities, follow the steps below.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. On the Service Home page, click the Image menu. You will be taken to the Image List page.
3. Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image for detailed information is stored.
4. On the Image List page, click the resource (Image) to check for security vulnerabilities. You will be taken to the Image Details page.
   • Image Details Click the Tags tab to the right of the detailed information tab at the top of the page. You will be taken to the Tags tab page.
5. On the Tags tab page, click the More button located at the far right of the tag you want to check for security vulnerabilities, then click Vulnerability Check.
6. When the vulnerability check notification popup opens, click the Confirm button.
   • When the inspection starts, the phrase Vulnerability assessment will be performed. is displayed.
   • When the inspection is finished, the Vulnerability Inspection Results item displays a summary of the inspection results and a View Results button. Clicking the View Results button opens a popup that shows detailed analysis of Vulnerabilities by Image Digest (Tags).
     Reference

     • Click the View Results button to see the detailed vulnerability analysis results for the image tag.
       • After a vulnerability scan, if a red exclamation mark icon (!) appears in the scan date/time field, it means the vulnerability scan list for the Container Registry service has been updated. Click Vulnerability Scan to re‑scan, as new vulnerability items need to be checked for the image Digest (Tags).

View Image Security Vulnerability Scan Results

To view the vulnerability assessment results, follow these steps.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. On the Service Home page, click the Image menu. You will be taken to the Image List page.
3. Click the Settings icon at the top of the Image List page and select the Registry name and Repository name where the Image to be inspected is stored.
4. Image List page, click the resource (Image) to check for security vulnerabilities. You will be taken to the Image Details page.
   • Image Details Click the Tags tab on the right side of the detailed information tab at the top of the page. You will be taken to the Tags tab page.
5. On the Tags tab page, click the View Results button of the Vulnerability Check Result item for the tag whose vulnerability check results you want to view.
6. Image Tags Vulnerabilities Check the results in the popup window that displays the detailed analysis results.

View inspection results by vulnerability

Image Tag Vulnerabilities On the detailed page’s Vulnerabilities tab, you can view the image security vulnerability assessment results for each vulnerability.

In the Vulnerability tab, you can view the list of all discovered vulnerabilities.

View inspection results by package

Image Tag Vulnerabilities On the detail page, clicking the Package tab navigates to the package-specific vulnerability page. In the Package tab, you can view the image security vulnerability assessment results by package.

In the Package tab, you can view the full list of packages and the lists of packages with detected vulnerabilities and without detected vulnerabilities.

Check inspection results by secret unit

Image Tag Vulnerabilities On the detail page, clicking the Secret tab takes you to the vulnerability page for each secret. You can view the image security vulnerability assessment results by secret.

In the Secrets tab, you can view the complete list of secret files, as well as the lists of files with detected vulnerabilities and files without detected vulnerabilities.

2.4 - Manage Image Tag Deletion Policy

Users can register and manage image tag deletion policies.

Manage image tag deletion policy

The image tag deletion policy refers to a policy that automatically deletes an image after a specified period has elapsed since the image was first pushed to the repository. Enabling the image tag deletion policy causes image tags (digests) stored in the Container Registry to be automatically deleted according to the configured deletion policy.

Support Deletion Policy Information

Describes policy information that supports the removal of image tags.

Support Policy

Supports policies that enable automatic deletion and retention period settings for image tags (digests).

Setting the image tag (digest) deletion policy

To set the image tag (digest) deletion policy, follow these steps.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. On the Service Home page, click the Image menu. You will be taken to the Image List page.
3. Click the gear button at the top of the Image List page. The Registry/Repository Settings popup will open.
4. Registry/Repository Settings In the popup window, select the Registry name and Repository name where the image to set the deletion policy is stored, and click the Confirm button.
5. On the Image List page, click the resource (Image) for which you want to set the deletion policy. You will be taken to the Image Details page.
6. On the Image Detail page, in the Detail Information tab, click the Edit icon of the Delete Image Tag item. The Edit Delete Image Tag popup opens.
7. Image Tag Delete Edit In the popup window, enter and select the activation status and required information, then click the Confirm button.
   • If you select Enable for Deletion policy activation, image tags (digests) will be automatically deleted according to the configured deletion policy.
   • Select the deletion policy to apply and enter the period from when the image is first pushed to the repository until it is automatically deleted.
8. When the edit notification popup opens, click the Confirm button.
   • When the modification is complete, the message Image tag removal edit was successful will be displayed.

Testing image tag (digest) deletion policy

To test the image tag (digest) deletion policy, follow these steps.

1. Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
2. On the Service Home page, click the Image menu. You will be taken to the Image List page.
3. Image list Click the gear button at the top of the page. Registry/Repository settings A popup window will open.
4. Registry/Repository Settings In the popup window, select the Registry name and Repository name where the image to set the deletion policy is stored, and click the Confirm button.
5. Image List page, click the resource (Image) to test the deletion policy. You will be taken to the Image Details page.
6. On the Image Detail page, click the Delete Policy Test tab. You will be taken to the Delete Policy Test tab page.
7. On the Delete Policy Test tab page, to test the configured delete policy, click the Policy Test button below the target Tags.
8. When the delete policy test execution notification popup opens, click the Confirm button.
   • When the test execution request is completed, the message Deletion policy test execution request has been completed is displayed.
   • When the test is completed, the Deletion Target Tags item will display the image tags (digests) that are subject to the deletion policy.

2.5 - Use Container Registry with CLI

This explains how to log in to the Container Registry using CLI commands and manage container images and Helm charts.

Managing container images with CLI

You can log in to the Container Registry using CLI commands and push or pull container images.

Log in to the Container Registry

The user can log in to the Container Registry using an authentication key.

Log in with an authentication key

Log in using the authentication key’s AccessKey, SecretKey, and the registry endpoint.

• Registry endpoint: can be found on the Container Registry Details page.
• Private endpoint: [registryname-registryid].scr.private.[region].[offering].samsungsdscloud.com

1 docker login <registry_endpoint>
2 Username: <accessKey>
3 Password: <secretKey>

Push image

To push an image to the registry, refer to the following command.

1 docker push [registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[repository]/[image:tag]

Pull image

To pull an image from the registry, refer to the following command.

1 docker pull [registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[repository]/[image:tag]

Managing Helm charts with CLI

You can log in to the Container Registry using CLI commands and push or pull Helm charts.

Log in to Container Registry

The user can log in to the Container Registry using an authentication key.

Log in with authentication key

Log in using the authentication key’s AccessKey, SecretKey, and the registry endpoint.

• Registry endpoint: Container Registry Details can be found on the page.
• Private endpoint : [registryname-registryid].scr.private.[region].[offering].samsungsdscloud.com

1 helm registry login <registry_endpoint>
2 Username: <accessKey>
3 Password: <secretKey>

Push chart

To push a chart to the registry, refer to the following command.

1 helm push [hello-world-0.1.0].tgz oci://[registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[mychart]

If you write and execute the command as shown in the example, it saves (uploads) the chart by applying the 0.1.0 tag to the hello-world image in the mychart repository.

• To push a chart to a registry, you need the LoginContainerRegistry permission for the registry you will use and the PushRepositoryImages permission for the repository.
• For detailed information on policies and permission settings, see Management > IAM > Policies.

Pull chart

To pull a chart from the registry, refer to the following command.

1 helm pull oci://[registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[mychart/hello-world] -version [0.1.0]

By writing and executing the command as shown in the example, you download the chart stored with tag 0.1.0 in the hello-world image of the mychart repository.

• To pull a chart from a registry, you need the LoginContainerRegistry permission for the registry you will use and the PullRepositoryImages permission for the repository.
• For detailed information on policies and permission settings, see Management > IAM > Policy.

2.6 - Example of Registry and Repository Policies

After creating the Samsung Cloud Platform Container Registry (hereinafter SCR) service, an endpoint is provided. This endpoint provides an example policy that grants specific permissions when using SCR.

Allow pulling all repository images created in all registries

If you apply the ScrPullOnlyAccess policy provided as an IAM default policy, you can grant IAM users and user groups permission to pull all repository images created in all registries within the account.

To allow pulling all repository images created in all registries, follow these steps.

1. All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
3. On the Policy List page, select ScrPullOnlyAccess. 3. Policy Details navigate to the page.
4. On the Policy Details page, select the Connected Targets tab.
5. On the Connection Target tab page, connect the target to which you will grant permissions.
   • User: Click User Connection above the list to go to the User Connection page. * Select the user to connect and click Done to complete the user connection.
   • User Group: Click User Group Link above the list to go to the User Group Link page. * Select the user group to connect and click Done, and the user group connection will be completed.
   • Role: Click Role Link above the list to go to the role link page. * Select the role to connect and click Done to complete the role linking.

Allow pulling and pushing all repository images created in all registries

If you apply the ScrPullPushOnlyAccess policy provided as an IAM default policy, you can grant IAM users and user groups permission to allow Pull and Push for all repository images created in all registries within the account.

To allow Pull and Push for all Repository Images created in all Registries, follow these steps.

1. Click the All Services > Management > IAM menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
3. On the Policy List page, select ScrPullPushOnlyAccess. 3. Navigate to the Policy Details page.
4. On the Policy Details page, select the Connection Targets tab.
5. On the Connection Target tab page, connect the target to which you will grant permissions.
   • User: Click User Connection above the list to go to the User Connection page. * Select the user to connect and click Done to complete the user connection.
   • User Group: Clicking User Group Link above the list navigates to the User Group Link page. * Select the user group to connect and click Done, and the user group connection will be completed.
   • Role: Click Role Link above the list to go to the role link page. * Select the role to connect and click Complete, then the role connection will be completed.

Allow pulling all repository images created in a specific registry

By applying the ScrPullOnlyAccess policy provided as an IAM default policy, you can create a policy that allows only Pull for all repository images created in a specific Registry.

To create a pull permission policy for all repository images created in a specific registry, follow these steps.

1. All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
3. On the Policy List page, click Create Policy.
4. On the Policy Creation page, enter the Basic Information Input fields and click Next.
5. On the Permission Settings page, click Load Policy.
6. Load Policy in the window’s list, select ScrPullOnlyAccess and click OK.
7. On the Permission Settings page, select the Individual Resource of the Applied Resources item.
8. Click Add Resource in the applied resource list.
9. In the Add Resource window, select container-registy from the resource type list. 9. In the resource detail list, check the registy resource you want to add, then click Confirm.
10. Check the individual resources you added in the applied resources list and click Next.
11. Check the input information and click Create. 11. Policy creation is complete.

Allow Image Pull and Push for a Specific Repository Created in a Specific Registry

If you apply the ScrPullPushOnlyAccess policy provided as a default IAM policy, you can create a policy that allows Pull and Push for a specific repository image created in a particular registry.

To create a policy that allows Pull and Push for a specific Repository Image created in a specific Registry, follow these steps.

1. All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
2. On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
3. On the Policy List page, click Create Policy.
4. On the Policy List page, enter the items of Basic Information Input and click Next.
5. On the Permission Settings page, click Load Policy.
6. In the Load Policy window’s list, select ScrPullPushOnlyAccess and click OK.
7. On the Permission Settings page, select the Individual Resource of the Applied Resources item.
8. Click Add Resource in the applied resource list.
9. In the Add Resource dialog, select the following items.
   • Select container-registy from the resource type list. * In the resource detail list, check the registry resource to add, then click Confirm.
   • Select the repository from the resource type list. * In the resource detail list, check the repository resource to add, then click Confirm.
10. Verify the individual resources you added in the applied resource list and click Next.
11. Check the input information and click Create. 12. Policy creation is complete.

3 - API Reference

4 - CLI Reference

5 - Release Note

Container Registry