Container registries store and manage container images and related artifacts.
Although container orchestration gets “royal” coverage, container registries hold the “keys to the kingdom” . They act as trusted intermediaries between development and runtime environments for containerized applications. Organizations that build and deploy container-native applications need to choose various tools to build, run and manage containers in production. Common requirements include:
- Container orchestration
- Infrastructure automation
- Container security (vulnerability scanning, policy management, etc.)
- Monitoring, distributed tracing and observability
- Service mesh, application proxy, API gateways
- Container registries
This blog post will focus on the last requirement – container registries. Container registries are evolving and 2020 saw quite a few new solutions in the market.
Some providers generalize container registry capabilities to support other artifacts and packages.
Others specialize the capabilities of an artifact repository to address specific container registry needs.
Container images are the basic artifacts used to deploy applications in a containerized environment. Specifications for how container images are cataloged in a registry and which protocol is used to communicate with the registry have been standardized, making container registries seem like a commodity purchase. Since most application delivery platforms and cloud providers offer a container registry, organizations lack a checklist and framework to make a conscious choice.
What factors should you consider in selecting a container registry?
Treat this as an initial list of considerations. Feel free to customize this checklist and leave comments about what you prioritized. This can help your peers.
What are some categories of container registry providers?
There are three primary categories of container registry providers to choose from:
Cloud service providers
As you can expect, cloud service providers make it easy to integrate their container registry offerings with their own application runtime services. For example, AWS ECR (Elastic Container Registry) integrates with AWS EKS / ECS / Fargate, Azure Container Registry with Azure AKS, Service Fabric, and Google Container Registry with GKE. The pricing is usually based on consumption – i.e. unit of storage consumed per month and data transfer fees ( egress charges).
Open source tools
Harbor graduated as a CNCF project this year. It is an open source registry that secures artifacts with policies and role-based access control, scans images for vulnerabilities, and signs images as trusted. Harbor has a growing community of users and partners.
Red Hat open sourced Quay (Project Quay) in late 2019. Quay is a container image registry that enables you to build, organize, distribute, and deploy containers. Project Quay includes Clair, a container security scanning tool.
ISV provided container registries
Some representative providers below — by no means is this an exhaustive list.
- GitLab Container Registry
- GitHub Container Registry
- JFrog Container Registry
- Managed Harbor based Container Management Solution
- Mirantis Secure Registry (formerly Docker Trusted Registry)
- Red Hat Quay is available with OpenShift or as a standalone component
Finally, what use cases does a container registry enable?
- Distributed agile teams – consistent, secure and trusted source for shared container images
- Security and governance for third-party software
- Consistency, Scalability and Reliability across remote sites