How-to guides
The user can enter the necessary information for the Container Registry service through the Samsung Cloud Platform Console and create the service by selecting detailed options.
Create Container Registry
You can create and use the Container Registry service in the Samsung Cloud Platform Console.
Note
Container Registry can be created up to 2 per Account (1 per visibility type).
To create a Container Registry service, follow these steps.
- Click All services > Container > Container Registry menu. It moves to the Service Home page of Container Registry.
- On the Service Home page, click the Create Registry button. It moves to the Create Registry page.
- Registry Creation page where you enter the information required for service creation and select detailed options.
- Enter Service Information Enter or select the required information in the area.
| Classification | Necessity | Detailed Description |
|---|
| Registry Name | Required | The name of the registry created by the user- Starts with a lowercase letter and uses lowercase letters and numbers to input 3-25 characters
|
| Endpoint | Required | Sets the access type for the registry endpoint- Private is selected, only private endpoint access control items can be set
- Private&Public is selected, private endpoint access control items and public endpoint access control settings are available
|
| Private Endpoint Access Control | Optional | Private Endpoint Access Control Settings- Enable allows you to set access to only specific resources within the same region as the registry, such as within the Account
- Click Add Private Access Resource to add resources that can access the registry using a private endpoint
- If Enable is not selected, access is allowed from all subnets in the same region
|
| Public Endpoint Access Control | Optional | Public Endpoint Access Control Settings- Enable allows you to set access to the registry and resources in the same region only from specific IPs
- Click Add to add IPs and resources that are allowed to access the registry using the public endpoint
- If Enable is not selected, access from all subnets in the same region is allowed
|
| Visibility | Optional | Setting for anonymous access to the read (Pull) operation of the registry- Public allows unauthenticated anonymous users to perform read operations (Anonymous Pull) on all contents of the registry
- This setting can only be set to Public when the service is created
|
Table. Container Registry service information input items
Caution
- If you do not select the use of private endpoint access control, your registry may be exposed to other resources within the Samsung Cloud Platform.
- If you do not select the use of public endpoint access control, external IP access is possible in the internet environment, so the user’s bucket may be exposed to the outside through the internet. If external access is not necessary, uncheck the use checkbox to minimize security threats.
* **Enter Additional Information** Enter or select the required information in the area.
| Classification |
Necessity |
Detailed Description |
| Tag |
Select |
Add Tag- Up to 50 can be added per resource
- Click the Add Tag button and enter or select Key, Value
|
Table. Container Registry additional information input items
- In the Summary panel, review the detailed information and the estimated charge amount, and click the Complete button.
- After creation is complete, check the created resource on the Registry list page.
Check Container Registry Details
The Container Registry service allows you to view and modify the full list of resources and detailed information. The Container Registry details page consists of Details, Tags, Work History tabs.
To check the Container Registry details, follow the next procedure.
Click All services > Container > Container Registry menu. It moves to the Service Home page of Container Registry.
Service Home page, click the Registry menu. Move to the Registry list page.
Registry list page, click the resource (Registry) to check the detailed information. Move to the Registry details page.
- Registry Details page displays the status information and detailed information of the Registry, and consists of Details, Tags, Operation History tabs.
| Classification | Detailed Description |
|---|
| Registry Status | Status of the registry- Running: created/operating normally
- Editing: settings being changed
- Terminating: being deleted
|
| Usage Guide | CLI-based Registry Usage Guide |
| Service Cancellation | Button to cancel the service |
Fig. Container Registry status information and additional features
On the Registry List page, you can check the detailed information of the selected resource and modify the information if necessary.
| Division | Detailed Description |
|---|
| Service | Service Name |
| Resource Type | Resource Type |
| SRN | Unique resource ID in Samsung Cloud Platform- In the Container Registry service, it means the registry SRN
|
| Resource Name | Resource Name- In the Container Registry service, it means the registry name
|
| Resource ID | Unique resource ID in the service |
| Creator | User who created the service |
| Creation Time | The time when the service was created |
| Editor | User who modified the service information |
| Modified Time | The time when service information was modified |
| Registry Name | Registry Title |
| Bucket Name | The name of the Samsung Cloud Platform Object Storage bucket where the registry’s data is stored |
| Usage | Data usage for the Object Storage bucket for the corresponding registry |
| Endpoint | Access type for the registry endpoint |
| Private Endpoint | Private endpoint URL available within Samsung Cloud Platform network- Endpoint that provides compatibility with Docker and OCI Client Tool, used for Pull, Push Client commands
- Click the Copy button to copy the URL
|
| Public Endpoint | Public endpoint URL available within Samsung Cloud Platform network |
| Private Endpoint Access Control | Private Endpoint Access Control Settings- Modify button to change access control usage and add or delete accessible resources
- Selecting access control usage sets it so that only specific resources within the Account in the same region as the registry can be accessed
- Not selecting access control usage allows access from resources in all subnets in the same region
|
| Public Endpoint Access Control | Public Endpoint Access Control Settings- Modify button to change access control usage and add or delete accessible IP and resources
- When access control is used, it is set to allow access only to specific IPs within the Account in the same region as the registry
- When access control is not used, external IP access is possible in the internet environment
|
| Visibility | Anonymous access setting for read (Pull) operations on the registry- If set to Public, anonymous unauthenticated users are allowed to perform read operations (Anonymous Pull) on all contents of the registry
- This setting can only be set to Public when the service is created
|
Table. Container Registry detailed information items
Tag
On the Registry List page, you can check the tag information of the selected resource, and add, change, or delete it.
| Classification | Detailed Description |
|---|
| Tag List | Tag list- Tag Key, Value information can be checked
- Up to 50 tags can be added per resource
- When entering a tag, search and select from the existing Key and Value list
|
Fig. Registry Tag Tab Items
Work History
You can check the operation history of the resource selected on the Registry list page.
| Classification | Detailed Description |
|---|
| Work history list | Resource change history- Work time, resource type, resource name, work details, work result, worker name, path information can be checked
- To search in detail, click the Detailed Search button
|
Fig. Work History Tab Detailed Information Items
Cancel Container Registry
You can cancel the unused Container Registry to reduce operating costs. However, if you cancel the service, the operating service may be stopped immediately, so please proceed with the cancellation work after fully considering the impact that occurs when the service is stopped.
Caution
- If there are items connected to the Registry, they cannot be deleted. Please cancel the connected services displayed in the cancellation of service popup and then delete the Registry.
- When the service is terminated, all data, including the buckets connected to the Registry, will be deleted. Please note that data cannot be recovered after deletion.
To cancel the Container Registry, follow these procedures.
- Click All services > Container > Container Registry menu. It moves to the Service Home page of Container Registry.
- On the Service Home page, click the Registry menu. It moves to the Registry list page.
- Registry list page, click the resource (Registry) to check the detailed information. Move to the Registry details page.
- Registry Details page, click Service Cancellation.
- Click the checkbox to confirm cancellation and enter the Registry name to be deleted.
- If you enter the Registry name correctly, the Confirm button will be activated. Click the Confirm button.
- Once the cancellation is complete, please check if the resource has been cancelled on the Registry list page.
1 - Managing Repository
The repository is a logical management unit of images within the registry. Using a repository allows you to set the default security policy for images created below it.
Create a repository
To create a repository, follow the following procedure.
- All services > Container > Container Registry menu is clicked. It moves to the Service Home page of Container Registry.
- Service Home page, click the Repository menu. It moves to the Repository list page.
- Repository list page, click the Create Repository button. Move to the Create Repository page.
- Repository list page top, click the Settings icon to select an existing registry, or click Create new to create a registry.
- Repository creation page where you enter the necessary information and select detailed options.
- Service Information Input area, please enter or select the required information.
| Classification | Mandatory | Detailed Description |
|---|
| Registry | Required | Select the registry name to create the repository- If no registry is created, it can be newly created through the New Creation button
|
| Repository Name | Required | Name of the repository to be created- Enter 3-30 characters using lowercase English letters, numbers, and special characters (
-) (only lowercase English letters and numbers are allowed at the beginning and end)
|
Table. Repository Essential Information Input Items
- Repository basic policy input area, please enter or select the required information.
| Classification | Mandatory | Detailed Description |
|---|
| Image Scan | Options | Repository-generated image vulnerability automatic scan and scan exclusion policy setting- The default scan policy that can be applied when an image is created in the repository can be set
- If auto-scan is set to use, the vulnerability of the image is automatically checked when the image is pushed, and the vulnerability check cost is charged
- If the scan exclusion policy is set to use, you can specify the inspection target and vulnerability to be excluded from the image scan as follows
- Exclusion setting possible inspection targets
- Language Package inspection exclusion
- Secret inspection exclusion
- Exclusion of vulnerabilities without Fix Version
- Exclusion setting possible vulnerabilities: one of the following levels can be selected
- (None / Unknown / Negligible / Low / Medium / High / Critical) level or lower vulnerabilities are excluded
|
| Image Pull Limit | Option | Policy setting for the image Pull limit function used in the repository and the limited value- The default Pull limit policy that can be applied when an image is created in the repository can be set
- If the unscanned image Pull limit is set to use, Pull of unscanned images for vulnerability checking is not allowed
- If the vulnerable image Pull limit policy is set to use, Pull of images with Critical or High level vulnerabilities exceeding the entered value is not allowed. The values that can be entered and selected in this policy are as follows
- Critical: 1(default) ~ 9,999,999
- High: 1(default) ~ 9,999,999
- Excluding vulnerabilities without Fix Version
- If use is selected, vulnerabilities without Fix Version (when there is no patch version for vulnerable packages/libraries) are excluded from the Pull limit policy
|
| Image Lock Status | Option | You can set a lock to prevent all images in the repository from being deleted or updated- If the image lock status of the repository is Lock, the Lock/Unlock function of individual images in the repository is deactivated
- If the lock status of the repository’s image lock status is changed to Unlock, the Lock/Unlock function of individual images is activated
- New image Push is possible
|
| Image tag deletion | Option | You can set an automatic image deletion policy stored in the repository- Selecting Use for deletion policy activation applies the image deletion policy
- Selecting Untagged Image automatic deletion and Old Image automatic deletion as Use applies the corresponding image deletion policy
- Enter the automatic deletion period for the deletion policy, and the image will be automatically deleted after the set period has passed since it was first pushed
|
Table. Repository Basic Policy Input Items
- Additional Information Input area, please enter or select the required information.
| Classification | Mandatory | Detailed Description |
|---|
| Description | Selection | Repository Description- Enter the repository description
|
| Tag | Selection | Add Tag- Up to 50 can be added per resource
- Click the Add Tag button and enter or select Key, Value
|
Table. Input items for adding repository information
Reference
- Repository basic policy input items are used to set the default (initial) policy for the Image created in the Repository. (It plays the role of a policy setting template applied when creating an Image)
- This setting can be changed in the detailed view screen after creating the Repository, and the changed policy will be applied to the Image created after changing the Repository basic policy input item. The policy of the Image created before the change will not be changed.
- The default policy set for the Image can be modified in the Image detail screen.
- Summary panel, review the detailed information generated and the estimated billing amount, and click the Complete button.
- Once creation is complete, check the created resource on the Repository list page.
Repository 서비스는 전체 자원 목록과 상세 정보를 확인하고 수정할 수 있습니다. Repository details 페이지에서는 details, tags, work history 탭으로 구성되어 있습니다.
To check the repository details, follow the next procedure.
- All services > Container > Container Registry menu is clicked. It moves to the Service Home page of Container Registry.
- Service Home page, click the Repository menu. It moves to the Repository list page.
- Repository list page, click on the resource (Repository) to check the detailed information. It moves to the Repository details page.
- Repository details page displays the status information and detailed information of the Repository, and consists of details, tags, work history tabs.
| Classification | Detailed Description |
|---|
| Repository Status | Expresses the status of the repository- Deleting: Being deleted status
- Inactive: Failed to delete and unavailable status (only deletion request is possible)
- Editing: Settings are being modified or sub-resources (images, tags) within the image are being deleted
|
| Usage Guide | Repository Usage Guide- CLI-based commands to use images within the repository can be checked
|
| Repository Delete | Button to delete the repository |
Table. Status Information and Additional Functions
Repository list page where you can check the detailed information of the selected resource and modify the information if necessary.
| Classification | Detailed Description |
|---|
| Service | Service Name |
| Resource Type | Resource Type |
| SRN | Unique resource ID in Samsung Cloud Platform- In Repository, it means the repository SRN
|
| Resource Name | Resource Name- In Repository, it means the name of the repository
|
| Resource ID | Unique resource ID in the service |
| Creator | The user who created the repository |
| Creation Time | Repository Creation Time |
| Editor | The user who modified the repository |
| Revision Time | Repository Revision Time |
| Repository Name | The repository name created by the user |
| Image | link to view the list of images stored in the repository |
| Description | The description that the user entered for the created repository |
| Image Scan | Repository-generated image vulnerability automatic scan and scan exclusion policy setting- Set the default scan policy applied when an image is created in the repository (policy setting template role applied when creating an image)
- Click the Edit button to change the image vulnerability automatic scan and scan exclusion policy usage and detailed policy
- If automatic scanning is set to Use, the vulnerability of the image is automatically checked when the image is Pushed. This setting is applied from the image pushed after setting the automatic scan to use, and the vulnerability check cost is charged during automatic scanning
- If the scan exclusion policy is set to Use, you can specify the inspection target and vulnerability to be excluded during image scanning as follows
- Exclusion setting possible inspection targets
- Language Package exclusion
- Exclusion of vulnerabilities without Fix Version
- Exclusion setting possible vulnerabilities: One of the following levels can be selected
- Exclude vulnerabilities with a level of (None / Unknown / Negligible / Low / Medium / High / Critical) or lower
|
| Image Pull Limit | Policy setting for the image Pull limit function used in the repository and the limited value- The default Pull limit policy that can be applied when an image is created in the repository can be set (policy setting template role applied when creating an image)
- The Modify button can be clicked to change the image Pull limit function usage and limited value
- If the unscanned image Pull limit is set to Use, Pull of unscanned images for vulnerability checking is not allowed
- If the vulnerable image Pull limit is set to Use, Pull of images with Critical or High level vulnerabilities exceeding the entered value is not allowed; the input and selectable values in this policy are as follows
- Critical: 1(default) ~ 9,999,999
- High: 1(default) ~ 9,999,999
- Excluding vulnerabilities without Fix Version
- If Use is selected, vulnerabilities without Fix Version (no patch version for vulnerable packages/libraries) are excluded from the Pull limit policy
|
| Image Lock | Set lock to prevent deletion or update of all images within the repository- Modify button can be clicked to change the image lock
- If the image lock of the repository is Lock, the Lock/Unlock function of individual images within the repository is deactivated
- If the image lock of the repository in the Lock state is changed to Unlock, the Lock/Unlock function of individual images is activated
- New image Push is possible
|
| Image Tag Deletion | Set the automatic image deletion policy stored in the repository- Modify button can be clicked to change the image tag deletion policy
- If the deletion policy is set to Use, the image tag deletion policy can be applied
- If Untagged Image Auto Deletion and Old Image Auto Deletion items of the deletion policy are selected as Use, the corresponding image deletion policy is applied
- Enter the automatic deletion period in the deletion policy, and the image will be automatically deleted after the set period has passed since it was first pushed
|
Table. Repository detailed information items
Tag
Repository list page where you can check the tag information of the selected resource, and add, change or delete it.
| Classification | Detailed Description |
|---|
| Tag List | Tag list- Check Key, Value information of the tag
- Up to 50 tags can be added per resource
- Search and select from existing Key and Value lists when entering tags
|
Fig. Repository tag tab items
Work History
Repository list page where you can check the work history of the selected resource.
| Classification | Detailed Description |
|---|
| work history list | resource change history- work time, resource type, resource name, work details, work result, worker name, path information can be checked
|
Table. Work history tab detailed information items
Delete repository
To delete a Repository, follow the following procedure.
- All services > Container > Container Registry menu is clicked. It moves to the Service Home page of Container Registry.
- Service Home page, click the Repository menu. It moves to the Repository list page.
- Repository list page, click on the resource (Repository) to check the detailed information. It moves to the Repository details page.
- Repository details page, click Delete Repository.
- Repository deletion popup window where you enter the Repository name.
- Repository name has been entered correctly, then the Confirm button will be activated. Click the Confirm button.
- Once the cancellation is complete, check if the resource has been cancelled on the Repository list page.
Caution
Repository 내 Image가 존재하면 Repository를 삭제할 수 없습니다. Repository를 삭제하려면 해당 Repository 내 모든 Image를 먼저 삭제한 후, Repository를 삭제하세요. -> If an Image exists in the Repository, you cannot delete the Repository. To delete the Repository, delete all Images in the Repository first, then delete the Repository.
2 - Managing Images and Tags
The image is a logical management unit of the tag. The user can efficiently manage the image version using the tag.
Creating an image
To generate an image, the repository must be created first.
For more information about creating a repository, please refer to Managing Repositories.
The image is created by pushing an image or OCI standard artifact to the registry endpoint using the CLI.
CLI로 이미지를 Push하는 방법은 사용하는 클라이언트 툴에서 제공하는 공식 문서나 CLI 사용하기를 참고하세요. -> For the method of pushing an image using CLI, please refer to the official documentation provided by the client tool being used or Using CLI.
Image can check and modify the entire resource list and detailed information. The Image detail page consists of detailed information, tags, deletion policy test tabs.
To check the image details, follow the following procedure.
- All services > Container > Container Registry menu is clicked. It moves to the Service Home page of Container Registry.
- Service Home page, click the Image menu. It moves to the Image list page.
- Image list Click the Settings icon at the top of the page to check the detailed information and select the Registry name and Repository name where the Image is stored, respectively.
- If the desired item is not available, click Create New to register Registry and Repository and select it.
- Image list page, click on the resource (Image) to check the detailed information. It moves to the Image details page.
- Image details page displays the status information and detailed information of the Image, and consists of details, Tags, deletion policy test tabs.
| Classification | Detailed Description |
|---|
| Image Status | Express the status of the image- Deleting: Being deleted status
- Inactive: Failed to delete and unavailable status (only deletion request is possible)
- Editing: Configuration modification or deletion of image sub-resources (tags) in progress status
|
| Usage Guide | CLI-based Image Usage Guide |
| Image deletion | a button to delete the image |
Table. Status Information and Additional Functions
Image list page where you can check the detailed information of the selected resource and modify the information if necessary.
| Classification | Detailed Description |
|---|
| Creator | The user who created the image |
| Creation Time | The time the image was created |
| Editor | User who edited the image |
| Modified Time | The time when the image was modified |
| Image Name | The image name created by the user |
| Registry | The registry name and query link of the repository where the image is stored |
| Pulls | The number of times the corresponding image was pulled |
| Repository | Name of the repository where the image is stored and its search link |
| Description | the description that the user entered for the image- Edit button to modify the description
|
| Image Scan | Image Vulnerability Automatic Scan and Scan Exclusion Policy Setting- Set the image scan policy to automatically check the vulnerability of the pushed image or specify the inspection target and vulnerability to be excluded from the image scan
- Click the Modify button to change the image vulnerability automatic scan and scan exclusion policy usage and detailed policy
- If image automatic scanning is set to Use, the vulnerability of the image is automatically checked when the image is pushed. This setting is applied from the image pushed after setting the automatic scanning to use, and the vulnerability inspection cost is charged during automatic scanning
- If the scan exclusion policy is set to Use, you can specify the inspection target and vulnerability to be excluded from the image scan as follows
- Exclusion setting possible inspection targets
- Language Package exclusion
- Exclusion of vulnerabilities without Fix Version
- Exclusion setting possible vulnerabilities: one of the following levels can be selected
- Exclude vulnerabilities with a level of (None / Unknown / Negligible / Low / Medium / High / Critical) or lower
|
| Image Pull Limit | Image Pull Limit feature usage and limit value setting- Using the Image Pull Limit feature restricts the Pull of unscanned or vulnerable images to minimize security threats
- Modify button to change the usage and limit value of the Image Pull Limit feature
- Setting the unscanned image Pull limit to Use does not allow Pull of images that have not been vulnerability checked
- Setting the vulnerable image Pull limit to Use does not allow Pull of images with Critical or High level vulnerabilities exceeding the entered value, and the input and selectable values in this policy are as follows
- Critical: 1(default) ~ 9,999,999
- High: 1(default) ~ 9,999,999
- Excluding vulnerabilities without Fix Version
- Use excludes vulnerabilities without Fix Version (no patch version for vulnerable packages/libraries) from the Pull limit policy
|
| Image lock status | It is possible to set a lock so that the selected image cannot be deleted or updated- Edit button can be clicked to change the image lock status
- If the image lock status is Lock, the image and all internal Tags are changed to Lock status and cannot be deleted or updated
- If the lock status of the image lock status is changed to Unlock, the image and all internal Tags can be deleted or updated
|
| Image tag deletion | Set the automatic image deletion policy stored in the repository- Modify button can be clicked to change the image tag deletion policy
- If the deletion policy is set to Use, the image tag deletion policy can be applied
- If the Untagged Image automatic deletion and Old Image automatic deletion items of the deletion policy are set to Use, the corresponding image deletion policy is applied
- Enter the automatic deletion period in the deletion policy, and the image will be automatically deleted after the set period has passed since it was first pushed
|
Table. Image detailed information items
Delete an image
Image를 삭제하려면 다음 절차를 따르세요 translates to: To delete an image, follow the following procedure.
- All services > Container > Container Registry menu is clicked. It moves to the Service Home page of Container Registry.
- Service Home page, click the Image menu. It moves to the Image list page.
- Image list Click the Settings icon at the top of the page and select the Registry name and Repository name where the image to be deleted is stored, respectively.
- Image list page, click the resource (Image) to be deleted. It moves to the Image details page.
- Image deletion button should be clicked.
- Image deletion popup is displayed, click the Confirm button.
- When the deletion is complete, check if the resource has been deleted on the Image list page.
Caution
If you delete an image, all tags within the image will be deleted together.
To check the tag details, please follow the following procedure.
- All services > Container > Container Registry menu is clicked. It moves to the Service Home page of Container Registry.
- Service Home page, click the Image menu. It moves to the Image list page.
- Image list Click the Settings icon at the top of the page to check the detailed information and select the Registry name and Repository name where the Image is stored, respectively.
- Image list page, click on the resource (Image) to check the detailed information. It moves to the Image details page.
- Image details page displays the status information and detailed information of the Image, and consists of details, Tags, deletion policy test tabs.
- Image details page, click the Tags tab to the right of the detailed information tab at the top, it moves to the Tags list page.
| Column | Required | Detailed Description |
|---|
| Tags | Required | Image Digest’s tag name- A single image Digest can have multiple tag names
|
| Digest | Required | Image Digest value |
| Size | Required | Image Digest capacity |
| Modification Time | Required | Image Digest(Tags) Modification Time |
| Inspection Time | Required | Image Digest(Tags) Vulnerability Inspection Time |
| Vulnerability Check Result | Required | Image Digest(Tags) Vulnerability Check Result- Vulnerability count summary information and inspection result view button are displayed
- View Result button is clicked to confirm the detailed analysis result of vulnerabilities for image tags
|
| Status | Required | Status of Image Digest(Tags)- Active: normal usable status
- Deleting: being deleted status
- Inactive: failed to delete and not usable status (only deletion request is possible)
|
| URL copy | - | To use the image Digest endpoint URL copy- You can copy the endpoint URL to be used for the command to use the image Digest
|
| View more button | - | Image Digest(Tags) deletion, modification, vulnerability check, detailed usage guide selection menu- Delete to delete the corresponding image Digest(Tags)
- Click Tags modification to display the Tags modification window. In the Tags modification window, you can modify the tag name of the image Digest
- Click Vulnerability check to check for vulnerabilities in the image Digest(Tags)
- Click Detailed usage guide to view the guide for using image Digest(Tags) based on CLI
- Click Tags Lock to set a lock so that the selected image Tags cannot be deleted or updated
- Click Tags Unlock to unlock the lock so that the selected image Tags can be deleted or updated
|
Table. List of Tags Items
Reference
Tag name is missing Untagged state image Digest is displayed as None in the Tags section.
Image Click the Tags of the image Digest in the list of Tags for details to check the details, the detailed information window of the image Digest (Tags) appears.
| Column | Detailed Description | |
|---|
| tag information | tag name, digest, creation time, modification time are displayed- click the copy button at the right end of the digest value to copy the digest value
| |
| Manifest Information | Displays manifest type and detailed contents- Copy Manifest to copy the manifest value
- Download to download the manifest as a Json file
| |
Table. Detailed information window items
- Tag detailed information window, check the information and click confirm to close the window.
Image tag deletion
To delete an image tag, follow the following procedure.
- All services > Container > Container Registry menu is clicked. It moves to the Service Home page of Container Registry.
- Service Home page, click the Image menu. It moves to the Image list page.
- Image list Click the Settings icon at the top of the Image list page to check the detailed information and select the Registry name and Repository name where the Image is stored, respectively.
- Image list page, click the resource (Image) to check the detailed information. It moves to the Image details page.
- Image details page, click the Tags tab to the right of the detailed information tab at the top, it moves to the Tags list page.
- Tags list에서 삭제할 태그의 왼쪽에 위치한 체크박스를 선택한 후 삭제를 클릭하세요. -> 5. Select the checkbox to the left of the tag to be deleted in the Tags list, then click Delete.
- When you select the checkboxes of multiple items, you can delete multiple tags at once, and you can select and delete up to 50 tags at a time.
- You can delete tags one by one by clicking the delete button inside the more button located at the right end of the tag to be deleted.
- Tags deletion popup window opens, click confirm.
- Once the deletion is complete, please check the Tags list page to see if the resource has been deleted.
Caution
If other tags referencing the selected tag exist, the tag cannot be deleted. Delete the reference tags first, then delete the tag.
Image tag deletion policy test
To test the image tag deletion policy you set, follow the next procedure.
- All services > Container > Container Registry menu is clicked. It moves to the Service Home page of Container Registry.
- Service Home page, click the Image menu. It moves to the Image list page.
- Image list Click the Settings icon at the top of the page to check the detailed information and select the Registry name and Repository name where the Image is stored, respectively.
- Image list page, click on the resource (Image) to check the detailed information. It moves to the Image details page.
- Image details page displays the status information and detailed information of the Image, and consists of details, Tags, deletion policy test tabs.
- Image details page, click the Deletion Policy Test tab to the right of the detailed information tab at the top. Move to the Deletion Policy Test tab page.
- Deletion Policy Test tab page, click the Policy Test button in the deletion target Tags item. The deletion policy test will be executed.
- When the deletion policy test execution notification popup window opens, click the Confirm button.
- When the test run application is completed, the test run application for deletion policy has been completed phrase will be displayed.
- When the deletion policy test is completed, please check the test results.
- Deletion Target Tags The image tags (digest) that are the target of the deletion policy are displayed in the item.
3 - Managing Image Security Vulnerabilities
The image security vulnerability checking function allows you to manually or automatically check the OS package security vulnerabilities and Secrets included in the images stored in the Container Registry. Users can identify and remove known vulnerabilities (CVE) and Secrets based on the inspection results, preventing the use of insecure images.
Supported OS
The vulnerability checking function supports checking of libraries installed with a package manager on the following OS.
| Supported OS |
|---|
| Ubuntu |
| Cent OS |
| Oracle |
| Debian |
| Alpine |
| AWS Linux |
| RHEL |
| Suse |
| VMWare Photon |
Table. Supported OS types
Supported Language
The vulnerability checking function supports checking for the following languages.
| Supported Language |
|---|
| Python |
| PHP |
| Node.js |
| .NET |
| Go |
| Dart |
Table. Supported Language Type I (Language package manager installed library)
Table. Supported Language Type II (identified based on pom.properties and MANIFEST.MF files included in jar, war, par, ear type files)
Support Secret
The vulnerability scanning feature supports the following types of secrets included in the image.
| Support Secret |
|---|
| AWS access key |
| GitHub personal access token |
| GitLab personal access token |
| Asymmetric Private Key |
Table. Supported Secret Types
Checking image security vulnerabilities (manual)
To check for image security vulnerabilities, follow the next procedure.
- Click on the menu for all services > Container > Container Registry. It moves to the Service Home page of Container Registry.
- Service Home page, click the Image menu. It moves to the Image list page.
- Image list Click the Settings icon at the top of the page to check the detailed information and select the Registry name and Repository name where the Image is stored, respectively.
- On the Image List page, click the resource (Image) to check for security vulnerabilities. It moves to the Image Details page.
- Click the Tags tab to the right of the detailed information tab at the top of the Image Details page. Move to the Tags tab page.
- On the Tags tab page, click the more button located at the right end of the tag to check security vulnerabilities, then click Vulnerability Check.
- When the vulnerability check alert popup window opens, click the Confirm button.
- When the inspection starts, vulnerability check will be performed. message is displayed.
- After the inspection is complete, a summary of the inspection results and the View Results button are displayed in the Vulnerability Check Results section. When you click the View Results button, a popup window appears where you can view detailed analysis results of vulnerabilities by Image Digest(Tags).
Note
By clicking the * 결과보기 button, you can check the detailed analysis result of the vulnerability for the image tag.
After checking for vulnerabilities, if a red exclamation mark icon (!) is displayed in the inspection date item, it means that the vulnerability check list of the Container Registry service has been updated. Click Vulnerability Check to recommend re-checking as a new vulnerability item check is required for the corresponding image Digest (Tags).
Check the image security vulnerability check result
To check the vulnerability check result, follow the next procedure.
- Click on the menu for all services > Container > Container Registry. It moves to the Service Home page of Container Registry.
- Service Home page, click the Image menu. It moves to the Image list page.
- Image list Click the Settings icon at the top of the page to check the detailed information and select the Registry name and Repository name where the Image is stored, respectively.
- On the Image List page, click the resource (Image) to check for security vulnerabilities. It moves to the Image Details page.
- Click the Tags tab to the right of the detailed information tab at the top of the Image Details page. Move to the Tags tab page.
- On the Tags tab page, click the View Results button in the Vulnerability Check Result item to check the vulnerability check result.
- Vulnerability Analysis by Image Tags A popup window appears to show detailed analysis results of vulnerabilities by image tags.
Check the test results by vulnerability unit
You can check the image security vulnerability check results by vulnerability in the Vulnerability tab.
| Item | Detailed Description |
|---|
| Vulnerability Check | Vulnerability check button- When you click the button, vulnerability check starts
- However, if the tag status is Inactive, the Vulnerability Check button is not activated
|
| Inspection Date | Vulnerability Inspection Date |
| Distribution | Inspection target image Digest(Tags) OS name and version- Refer to the list of supported OS
|
| Total number of vulnerabilities | Vulnerability inspection result summary- The total number of detected vulnerabilities and the number of vulnerabilities by severity are displayed in a graph
- Vulnerabilities are divided into 6 levels according to their severity (Critical, High, Medium, Low, Negligible, Unknown)
|
Table. Vulnerability Check Result Items
You can check the list of all discovered vulnerabilities in the Vulnerability tab.
| Item | Detailed Description |
|---|
| CVE | Detected vulnerability ID (CVE ID) and external link to confirm detailed vulnerability information- CVE (Common Vulnerabilities and Exposures)
|
| Severity | Detected vulnerability severity |
| CVSS | CVSS (Common Vulnerability Scoring System) based vulnerability score |
| Category | Type of inspection target for detected vulnerabilities- OS package or Language package is displayed
|
| OS/Language | Detected vulnerability’s OS or Language package type- Refer to the list of supported OS and supported Language
|
| Package | Name of the package where the vulnerability was found |
| Current version | Current version of vulnerable package (vulnerable version) |
| Updated version | The version of the vulnerable package in which the vulnerability has been addressed |
| Whether the vulnerability in the discovered package has been fixed (whether a patched version of the vulnerability exists) | |
| Expand Button | Vulnerability Details Inquiry- Expand button is clicked to display detailed information about the vulnerability below
- It is possible to check the description and vectors result value of the corresponding vulnerability. A detailed description of each vector value is provided as a tooltip
- Detailed information opened by the Expand button can be closed by clicking the Collapse button
|
Table. List of vulnerability items
Checking the results by package unit
You can check the image security vulnerability check results by package.
In the Image Tag-based Vulnerability detail page, click the Package tab to move to the package-based vulnerability page.
| Item | Detailed Description |
|---|
| Vulnerability Check | Vulnerability check button- When you click the button, vulnerability check starts
- However, if the tag status is Inactive, the Vulnerability Check button is not activated
|
| Inspection Date | Vulnerability Inspection Date |
| Distribution | Inspection target image Digest(Tags) OS name and version- Refer to the list of supported OS
|
| Total number of packages | Summary of total package information- Displays the total number of packages found and the number of packages by vulnerability status in a graph
|
Table. Package Vulnerability Check Result Items
In the package tab, you can check the entire package list, the list of packages with vulnerabilities found, and the list of packages with no vulnerabilities found.
| Item | Detailed Description |
|---|
| Category | Type of discovered package- OS package or Language package is displayed
|
| OS/Language | Discovered package’s OS or Language detailed type- Refer to the list of supported OS and supported Language
|
| Package | Discovered package name |
| Version | The current version of the package |
| Vulnerability check result | Summary information of vulnerability count included in the package |
| Type | Details of OS or Language type and details of discovered package |
Table. Package list item
Check the test results by secret unit
You can check the image security vulnerability check results by secret.
In the Image Tag-based Vulnerability detail page, clicking the Secret tab will move to the secret-based vulnerability page.
| Item | Detailed Description |
|---|
| Vulnerability Check | Vulnerability check button- When you click the button, vulnerability check starts
- However, if the tag status is Inactive, the Vulnerability Check button is not activated
|
| Inspection Date | Vulnerability Inspection Date |
| Distribution | Inspection target image Digest(Tags) OS name and version- Refer to the list of supported OS
|
| Total number of vulnerabilities | Vulnerability result summary- The total number of detected vulnerabilities and the number of vulnerabilities by severity are displayed in a graph
- Vulnerabilities are divided into 6 levels based on severity (Critical, High, Medium, Low, Negligible, Unknown)
|
Table. Secret Vulnerability Check Result Items
In the Secret tab
| Item | Detailed Description |
|---|
| File | File name where secret is detected |
| Category | Detected secret type- Refer to the supported secret list
|
| Severity | Detected Secret Severity |
| Match | Detected secret match information in the file |
Fig. Secret List Items
4 - Managing Image Tag Deletion Policies
The user can register and manage the image tag deletion policy.
Managing image tag deletion policies
The image tag deletion policy refers to the policy that automatically deletes an image when a certain period of time has passed since it was first pushed to the repository. If the image tag deletion policy is enabled, the image tags (digest) stored in the Container Registry will be automatically deleted according to the set deletion policy.
Notice
- After enabling the deletion policy and setting it to use, the image tag (digest) to which the deletion policy is first applied will be deleted within a maximum of 3 days (72 hours). Subsequent image tags (digests) to which the deletion policy is applied will be deleted within a maximum of 1 day (24 hours).
- Image tags (digests) to which the deletion policy is applied are permanently deleted and cannot be recovered.
Describes policy information that supports deleting image tags.
Support Policy
It supports a policy that allows you to set automatic deletion and period for image tags (digest).
| Support Policy |
|---|
| Untagged Image |
| Old Image |
Table. Image tag deletion support policy type
Set the image tag (digest) deletion policy
To set the image tag (digest) deletion policy, follow these steps.
- Click All services > Container > Container Registry menu. It moves to the Service Home page of Container Registry.
- Service Home page, click the Image menu. It moves to the Image list page.
- Click the gear button at the top of the Image 목록 page. The Registry/Repository 설정 popup window opens.
- Registry/Repository settings In the popup window, select the Registry name and Repository name where the Image to be set for the deletion policy is stored, and click the OK button.
- Image list page, click the resource (Image) to set the deletion policy. Move to the Image details page.
- Image Detail page’s Detail Info tab, click the Edit icon of the Delete Image Tag item. The Edit Delete Image Tag popup window will open.
- Image Tag Deletion Modification In the popup window, enter and select the necessary information and activation status, and click the Confirm button.
- Delete policy activation is set to Use, the image tag (digest) will be automatically deleted according to the set delete policy.
- Select the deletion policy to apply and enter the period from when the image was first pushed to the repository to when it will be automatically deleted.
- When the update notification popup window opens, click the Confirm button.
- When the modification is complete, Image tag deletion modification was successful message will be displayed.
Reference
You can also set a deletion policy in the Repository that plays the role of a template for the Image. When setting a deletion policy in the Repository, the set deletion policy is applied equally to all Images stored inside.
Image tag (digest) deletion policy test
To test the image tag (digest) deletion policy, follow these steps.
- Click All services > Container > Container Registry menu. It moves to the Service Home page of Container Registry.
- On the Service Home page, click the Image menu. It moves to the Image list page.
- Click the gear button at the top of the Image 목록 page. The Registry/Repository 설정 popup window will open.
- Registry/Repository Settings In the popup window, select the Registry name and Repository name where the Image to be set for the deletion policy is stored, and click the Confirm button.
- On the Image List page, click the resource (Image) to test the deletion policy. It moves to the Image Detail page.
- Image Detail page, click the Deletion Policy Test tab. Move to the Deletion Policy Test tab page.
- Deletion Policy Test tab page, to test the deletion policy set, click the Policy Test button at the bottom of the deletion target Tags.
- When the deletion policy test notification popup window opens, click the Confirm button.
- When the test run application is completed, the phrase The deletion policy test run application has been completed will be displayed.
- After the test is completed, the image tags (digest) that are the target of the deletion policy will be displayed in the Deletion Target Tags section.
5 - Using Container Registry with CLI
This explains how to log in to the Container Registry using the CLI command and manage Container images and Helm charts.
Managing Container Images with CLI
You can log in to the Container Registry and push or pull container images using the CLI command.
Logging in to Container Registry
The user can log in to the Container Registry using the authentication key.
Reference
To log in to Container Registry, you need
LoginContainerRegistry permission for the registry you want to use.
For more information on policy and permission settings, see
Management > IAM > Policy.
Logging in with an authentication key
Logs in using the AccessKey and SecretKey of the authentication key and the registry endpoint.
- Registry endpoint : Container Registry details page can be found.
- Private endpoint : [registryname-registryid].scr.private.[region].[offering].samsungsdscloud.com
1 docker login <registry_endpoint>
2 Username: <accessKey>
3 Password: <secretKey>
Reference
To log in with an authentication key, you must create an authentication key on the IAM > Authentication Key Management page and set the authentication method to Authentication Key Authentication in the Security Settings.
- Security settings should be checked before modifying the Authentication key security settings modification popup at the top with a notice about the authentication key authentication method.
For more information on how to create an authentication key and set up authentication key authentication, see Management > IAM > Managing Authentication Keys.
Pushing Images
To push an image to the registry, please refer to the following command.
1 docker push [registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[repository]/[image:tag]
Reference
To push an image to the registry, you need
LoginContainerRegistry permission for the registry to be used and
PushRepositoryImages permission for the repository.
For more information about policy and permission settings, see
Management > IAM > Policy.
Image Pulling
To pull an image from the registry, please refer to the following command.
1 docker pull [registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[repository]/[image:tag]
Reference
To pull an image from the registry, you need
LoginContainerRegistry permission for the
registry to be used and
PullRepositoryImages permission for the
repository.
For more information about policy and permission settings, see
Management > IAM > Policy.
Managing Helm Charts with CLI
You can log in to the Container Registry using the CLI command and push or pull the Helm chart.
Reference
Container Registry supports Helm v3.8.1 and above.
Logging in to Container Registry
The user can log in to the Container Registry using the authentication key.
Reference
To log in to Container Registry, you need
LoginContainerRegistry permission for the registry you want to use.
For more information about policy and permission settings, see
Management > IAM > Policy.
Logging in with an authentication key
Logs in using the AccessKey, SecretKey of the authentication key and the registry endpoint.
- Registry endpoint : Container Registry details page can be found.
- Private endpoint : [registryname-registryid].scr.private.[region].[offering].samsungsdscloud.com
1 helm registry login <registry_endpoint>
2 Username: <accessKey>
3 Password: <secretKey>
Reference
To log in with an authentication key, you must create an authentication key on the IAM > Authentication Key Management page and set the authentication method to Authentication Key Authentication in the Security Settings.
- Security settings should be checked before modifying the Modify authentication key security settings popup at the top, and the guidance phrase for the authentication key authentication method must be confirmed.
For more information on how to create an authentication key and set up authentication key authentication, see Management > IAM > Managing Authentication Keys.
Chart Push
To push a chart to the registry, please refer to the following command.
1 helm push [hello-world-0.1.0].tgz oci://[registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[mychart]
As shown in the example, writing and executing the command will save (upload) the chart to the mychart repository with the hello-world image and apply the 0.1.0 tag.
To push charts to a registry, you need the LoginContainerRegistry permission for the registry you want to use and the PushRepositoryImages permission for the repository.
For more information about policy and permission settings, see Management > IAM > Policy.
Chart Pulling
To pull charts from the registry, please refer to the following command.
1 helm pull oci://[registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[mychart/hello-world] -version [0.1.0]
As shown in the example, writing and executing the command downloads the chart saved with the tag 0.1.0 in the hello-world image in the mychart repository.
To pull charts from a registry, you need the LoginContainerRegistry permission for the registry you want to use and the PullRepositoryImages permission for the repository.
For more information about policy and permission settings, see Management > IAM > Policy.