Registry Security and Access Control

2 min read Infrastructure & DevOps Security

Registry Security and Access Control

Container registries store and distribute images, making registry security critical for image security. Compromised registries can serve malicious images to entire organizations. Registry security requires access controls, vulnerability scanning, audit logging, and secure communication channels.

Private registries provide better security control than public registries. Organizations can enforce authentication, implement role-based access control, and audit all registry operations. Harbor, Quay, and cloud provider registries offer enterprise features including vulnerability scanning, image signing, and replication.

# Harbor registry configuration with security policies
apiVersion: v1
kind: ConfigMap
metadata:
  name: harbor-config
  namespace: harbor-system
data:
  harbor.yml: |
    # Security configurations
    auth_mode: oidc_auth
    
    oidc:
      name: company_oidc
      endpoint: https://auth.company.com
      client_id: harbor
      client_secret: ${OIDC_SECRET}
      scope: openid,profile,email,groups
      verify_cert: true
      auto_onboard: false
      user_claim: email
      groups_claim: groups
      admin_group: harbor-admins
    
    # Vulnerability scanning
    clair:
      updaters_interval: 12h
      
    trivy:
      skip_update: false
      ignore_unfixed: false
      insecure: false
      
    # Image retention policies
    retention:
      - rule: tag
        pattern: "v*"
        retain: 10
      - rule: days
        pattern: "latest"
        retain: 7
      - rule: always
        pattern: "release-*"
        
    # Immutable image tags
    immutable_tag_rules:
      - pattern: "release-*"
        
    # Quota management
    storage_quota:
      per_project: 100GB
      global: 10TB

---
# NetworkPolicy for registry isolation
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: registry-network-policy
  namespace: harbor-system
spec:
  podSelector:
    matchLabels:
      app: harbor
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          registry-access: allowed
    - podSelector:
        matchLabels:
          component: nginx-ingress
    ports:
    - protocol: TCP
      port: 443
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
    ports:
    - protocol: UDP
      port: 53
  - to:
    - ipBlock:
        cidr: 10.0.0.0/8
    ports:
    - protocol: TCP
      port: 5432  # PostgreSQL

Registry replication provides availability and performance benefits while maintaining security. Replication can create geo-distributed registries for global deployments or maintain air-gapped registries for high-security environments. However, replication must maintain security properties including access controls and vulnerability scanning.