container image registries

Greetings and welcome back to our series on getting familiar with the Replicated Vendor Portal. In this episode, we’re going to talk a bit about the different types of container image registries available to use with Replicated KOTS – or any other Kubernetes clusters.

When you hear the phrase “container registry,” your mind probably automatically jumps to DockerHub – one of, if not THE most popular and widely used public container registries in the open-source community. But if you’re security-minded, the word “public” probably gives you a bit of pause. 

Generally speaking, public container image registries like DockerHub, Amazon ECR, and quay.io are perfectly safe to use so long as you are careful to only use images from verified sources, and Dockerhub performs its own vulnerability scans on all shared container images to add another layer of security. All that said, I won’t lie and say that I haven’t accidentally downloaded a bloated CentOS container from CatThumbs97 thinking I was pulling the official image, only to be in for a big surprise later. That isn’t such a big deal in a MiniShift environment other than wasting disk space, but such a mistake could potentially shut an enterprise environment down.

If you’re more attentive to namespaces than I tend to be – first off, good for you. Second, you might consider private registries over public for the sake of guarding proprietary code. While both Docker and Quay offer enterprise solutions that include the ability to upload “private” (unlisted) images, you will still have less control over the image (plus probably pay more money) than if you just built your own registry, which isn’t nearly as hard as it sounds.

When you’re running or planning to run Kubernetes in an airgapped environment then a private registry is almost a must, as the cluster won’t have a connection to the outside world and therefore won’t have a way to connect to either a public or hidden registry to pull images. One of the more appealing features of Replicated KOTS to enterprises for whom security is a top priority is its built-in support for airgapped environments. Not only does KOTS support airgapped installs, but it also supports the usage of private registries and even includes access to the Replicated private registry – which you can read about here

If internal registries aren’t your jam and you’re not interested in building a Docker registry from scratch, KOTS also supports private registries like Google Container Registry and Amazon Elastic Container Registry, and we’ll even show you how to set it up. If you’re curious about private container registries and want to try it out with your Replicated trial, check out the videos by my colleague Fernando linked in this blog. Stay tuned for the next edition of our trial walkthrough blog for more tips on how to make the most of your Replicated account. See you then!