Introduction
Building, storing and managing container images is a core part of the cloud-native application development process. Alauda Container Platform(ACP) provides a high-performance, highly-available, built-in container image repository service designed to provide users with a secure and convenient image storage and management experience, greatly simplifying application development, continuous integration/continuous deployment (CI/CD) and application deployment processes within the platform. CD) and application deployment processes within the platform.
Deeply integrated into the platform architecture, Alauda Container Platform Registry provides tighter platform collaboration, simplified configuration, and greater internal access efficiency than an external, independently deployed image repository.
TOC
Principles and namespace isolation
Alauda Container Platform's built-in image repository, as one of the core components of the platform, runs inside the cluster in a highly-available manner and utilizes the persistent storage capabilities provided by the platform to ensure that the image data is secure and reliable.
One of its core design concepts is logical isolation and management based on Namespace. Within the Registry, image repositories are organized by namespace. This means that each namespace can be considered as a separate “zone” for images belonging to that namespace, and images between different namespaces are isolated by default, unless explicitly authorized.
Authentication and authorization
The authentication and authorization mechanism of Alauda Container Platform Registry is deeply integrated with ACP's platform-level authentication and authorization system, enabling access control as granular as the namespace:
Authentication
Users or automated processes (e.g., CI/CD pipelines on the platform, automated build tasks, etc.) do not need to maintain a separate set of account passwords for the Registry. They are authenticated through the platform's standard authentication mechanisms (e.g., using platform-provided API tokens, integrated enterprise identity systems, etc.). When accessing Alauda Container Platform Registry through the CLI or other tools, it is common to utilize existing platform login sessions or ServiceAccount tokens for transparent authentication.
Authorization
Authorization control is implemented at the namespace level. Pull or Push permissions for an image repository in Alauda Container Platform Registry depend on the platform role and permissions that the user or ServiceAccount has in the corresponding namespace.
- Typically, the owner or developer role of a namespace is automatically granted Push and Pull permissions to image repositories under that namespace.
- Users in other namespaces or users who wish to pull images across namespaces need to be explicitly granted the appropriate permissions by the administrator of the target namespace (e.g., bind a role that allows pulling of images via RBAC) before they can access images within that namespace.
- This namespace-based authorization mechanism ensures isolation of images between namespaces, improving security and avoiding unauthorized access and modification.
Advantages
Core advantages of Alauda Container Platform Registry:
- Ready-to-Use: Rapidly deploy a private image registry without complex configurations.
- Flexible Access: Supports both intra-cluster and external access modes.
- Security Assurance: Provides RBAC authorization and image scanning capabilities.
- High Availability: Ensures service continuity through replication mechanisms.
- Production-Grade: Validated in enterprise environments with SLA guarantees.
Application Scenarios
- Lightweight Deployment: Implement streamlined registry solutions in low-traffic environments to accelerate application delivery.
- Edge Computing: Enable autonomous management for edge clusters with dedicated registries.
- Resource Optimization: Demonstrate full workflow capabilities through integrated Source to Image (S2I) solutions when underutilizing infrastructure.