Tokens manage access to your Container Registry effectively and efficiently. Tokens serve as secure authentication methods, eliminating the need for personal credentials to be used during Continuous Integration and Continuous Deployment (CI/CD) processes. Personal credential management can become cumbersome and impractical as your services and deployments expand. Tokens provide a scalable solution for access control.
In order to minimize the permissions given to each token, you can also use:
Scopes to limit token access as narrowly as possible to specific resources and the actions it is permitted to perform on those resources to enhance security during artifact deployment. Each token can link to an individual or service, simplifying the audit process and strengthening the ability to monitor registry activity.
Expiration dates to ensure that the permissions of tokens can be automatically revoked after a period of time.
Distinct tokens for each environment to ensure access appropriately aligns with each environment's requirements and your security policies.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to configure.
3. Click Add Token in the Tokens tab to create a new Token
4. Provide the following details:
Name: Enter a Name for the token. It is a user-visible name making it simple to recognize the token.
Notes:
It is not possible to change the token name later.
The registry name:
must contain only alphanumeric characters and dashes.
must be between 3 and 63 characters in length.
must begin with an character between a-z.
must end with an alphanumeric character.
Status: Turn on the toggle button to enable the status. The token can be disabled later.
Expiry Date: Select Expire on (minimum 1 hour) to enter an expiry date. Otherwise, select No expiry.
Note: The Expiry Date must be at least one hour in the future. When the Expiry Date is reached, the token is deleted, it is not disabled.
Scopes: Define all actions the token has permission to perform and on which repositories. Provide the following details:
Type: Select either of the following types:
Registry: Select it to create a token to get the list of repositories in the registry.
Repository: Select it to manage the contents of the repository(s).
Path: Enter the names of repositories to which the token will have access. *
can be used as a wildcard. *
will provide access to all repositories.
Action: Select the one or more of the following Action(s) for the token:
Admin: Select Admin if you want to allow the token to delete artifacts from the repository.
Push: Select Push if you want the token to push new artifacts to the repository. When choosing Push, you must also set the Pull action for the token.
Pull: Select Pull if you want this token to be able to pull artifacts from the repository.
Note: You can set a single scope when you add a token; however, further scopes can be added later at any time. For more information, see Adding scopes to a token.
5. Click Add Token.
Result: You will get the Docker Login command using the newly created token along with all the details of the newly created credential.
Note: You will only have access to this token's password at this time. We recommend that you save the token safely and securely because the password cannot be recovered.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to configure.
3. Select the Tokens tab.
4. Identify the token you want to edit and click on the ⋮ on the right side of the table and select Edit.
5. Provide the updated information for the following fields:
Status
Expiry Date (if required)
6. Click Save
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to configure.
3. Navigate to the Tokens section.
4. Identify the token you want to edit and click on the ⋮ on the right side of the table and select the Manage Scope option from the drop-down list.
5. Complete the following fields:
Type Select either of the following types:
Registry: Select it to create a token to get the list of repositories in the registry.
Repository: Select it to manage the contents of the repository(s).
Path: Enter the names of repositories to which the token will have access. *
can be used as a wildcard. *
will provide access to all repositories.
Action: Select the one or more of the following Action(s) for the token:
Admin: Select Admin if you want to allow the token to delete artifacts from the repository.
Push: Select Push if you want the token to push new artifacts to the repository. When choosing Push, you must also set the Pull action for the token.
Pull: Select Pull if you want this token to be able to pull artifacts from the repository.
6. Click Add Scope.
7. Repeat steps 5 and 6 for additional scopes.
8. Click X to close the window.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to configure.
3. Select the Tokens tab.
4. Identify the token you want to edit and click on the elipses on the right side of the table and select Manage Scope.
5. Identify the scope that is not required and click x Remove or used x Remove all.
6. Click X to close the window.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry from which you want to delete the token.
3. Select the Tokens tab.
4. Identify the token you want to delete and click on the elipses on the right side of the table and select x Delete.
5. Review and confirm that you wish to delete the token. This action is irreversible.
The IONOS Cloud Container Registry service allows you to manage OCI-compatible artifacts (including Docker images) for use by your managed Kubernetes clusters. Use a container registry to make sure you have a private registry to support pulling artifacts effectively.
Learn how to create a Container Registry using the DCD.
Create, update, and delete tokens that control access to your Container Registry.
Set up a Garbage Collection to release space when it is no longer in use.
Enable vulnerability scanning of the artifacts in your container registry to keep up with any CVEs found in your software supply chain.
Review the results of the vulnerability scans performed on the contents of your container registry.
Delete a repository that you no longer need.
Delete a registry that you no longer need.
Each Container Registry has an option to configure the Garbage Collection schedule. By default, Garbage Collection is disabled because each customer should choose a schedule based on their needs.
Note: The container registry is read-only during the Garbage Collection to perform a complete analysis without changing the repositories.
Garbage Collection frees up storage space for layer data that are no longer referenced. It optimizes the volume of storage needed for each Container Registry and is necessary if all your artifacts use the same base operating system. Each layer can be referenced by more than one artifact. Hence, Garbage Collection ensures that other artifacts do not reference the layers before deletion.
The duration of the Garbage Collection will increase based on the volume of deleted repositories or tags and the total number of repositories and tags to be checked.
Note: Container Registries cannot immediately reduce storage usage when deleting artifacts or repositories.
Garbage Collection ensures the registry maintains data integrity while periodically cleaning up unused storage to optimize resource utilization.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry you want to configure.
3. Click > on the right of the Garbage Collection schedule in the Properties section.
4. Select the Day(s) and Time(UTC) to run the Garbage Collection on a weekly basis and click Update Schedule.
Note: You can configure it via the API for more granular and customized control over the Garbage Collection schedule.
Prerequisites: Make sure you have the appropriate permissions. Only contract administrators, owners, and users with the Manage Registry permission can create a Container Registry.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, click Add a Registry to start creating a new container registry.
3. Provide an appropriate Name.
Note:
It is not possible to change the registry name later.
The registry name:
must be globally unique across all customers.
must contain only alphanumeric characters and dashes.
must be between 3 and 63 characters in length.
must begin with an character between a-z.
must end with an alphanumeric character.
4. Choose the Location where you want your container registry to be run and the artifacts to be stored from the drop-down list.
Note: It is not possible to change the Location later.
5. Turn on the Vulnerability Scanning toggle so that your Container Registry is created with the vulnerability scanning enabled.
Note: We recommend that you create your Container Registry with Vulnerability Scanning enabled.
Vulnerability Scanning gives you the benefit of all artifacts being scanned for CVEs when pushed into a Container Registry and every time CVE databases are updated with newly identified CVEs. It is possible to add Vulnerability Scanning to a Container Registry. Once Vulnerability Scanning is enabled, it cannot be disabled later.
6. Click Add Registry. Your Container Registry and storage will be created.
Result: Your Container Registry is ready to use when its status is updated to Running.
Each Container Registry can provide a detailed detailed analysis of Common Vulnerabilities and Exposures (CVEs) that may be exploitable in your artifacts. For more information, see Enable Vulnerability Scanning.
Vulnerability scan results provide detailed information about the security of your artifacts at different levels. The following sections provide more information.
When new vulnerabilities are identified, you may want to search your entire Container Registry to see if any of the artifacts are vulnerable. To do this, you will need the Common Vulnerabilities and Exposures (CVE) number. Every published vulnerability or security issue is assigned a unique CVE number.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to search, and click on the Vulnerability Search section.
3. Enter the full CVE number of the vulnerability you want to search for.
Result: A list of artifacts known to be vulnerable to the CVE are displayed.
To ensure that your artifacts, and the software supply chain they rely on, remain secure, you will need to review the results of the vulnerability scan periodically. The first step in this review process will be to see which repositories contain vulnerabilities.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to review.
Result: You will see a list of repositories in the registry. The VULNERABILITIES column shows you the highest severity vulnerability in the last artifact pushed to the repository.
Note: Depending on the content of your registry, there may be too many repositories to list on a single page. Remember to use the per page to set the number of repositories displayed per page and to navigate between pages using < and >.
You can review which artifacts in a specific repository are exposed to vulnerabilities. This approach will show you which artifacts have known fixes, as well as when that artifact was last pushed (that is, when updates have been made) and when they were last pulled, this often aligns with software being deployed to an environment.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to review.
3. Select the repository that you want to review.
Result: You can now see all artifacts in the repository listed by artifact and displaying the following:
the tag used when pushing the artifact to the repository.
the VULNERABILITIES column shows you the highest severity vulnerability in the artifact at the time of the LAST SCAN.
the LAST PUSH date and time.
the LAST PULL date and time.
Note: Depending on the content of your repository, there may be too many artifacts to list on a single page. Remember to use per page to set the number of artifacts displayed per page and to navigate between pages using < and >.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to review.
3. Select the repository that you want to review.
4. Select the artifact you want to view.
Result: You can now see a list of all known CVEs that the artifact is vulnerable to.
You can filter the list by SEVERITY.
You can filter the list to only show those vulnerabilities that are reported as FIXABLE.
When you have found a specific CVE, either by viewing vulnerability scan results for a specific artifact or by finding artifacts that are vulnerable to a specific CVE, you can see more details about the CVE by clicking on the CVE identification number. This will provide additional information about the vulnerability and may include references to third-party sites where additional information can be found.
Note: The action of deleting a registry is not reversible.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry you want to delete.
3. In the Properties section, select the Delete icon to delete your Container Registry.
4. Confirm the action by selecting Delete Registry.
Note: The action of deleting a repository is not reversible.
1. In the DCD, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry that you want to review.
3. Select the repository you want to delete and click ⋮ on the right side of the table and select Delete.
4. Review and confirm that you wish to delete the repository.
Software development is constantly evolving, and security is a top priority. The Vulnerability Scanning feature is specifically designed to enhance the security of your containerized applications by proactively identifying potential vulnerabilities present in your artifacts. Scans take place every time an artifact is pushed to the registry and when new vulnerability definitions are published. This allows for quick detection of any security weaknesses in container dependencies and libraries, allowing you to react immediately to prevent exploitation.
Adopting the scanning feature is not just about maintaining security; it is also essential for complying with industry regulations, managing risks effectively, and sustaining the trust of your users. You can integrate the feature into your CI/CD pipeline, providing continuous security assessments to keep your containers safe in a fast-paced development environment.
We prioritize detected vulnerabilities based on severity, enabling you to focus on the most critical issues. Our recommendations for patch management, minimizing the attack surface, and using trusted base artifacts form part of a comprehensive security posture. By adopting the Vulnerability Scanning feature, you are taking a proactive approach to enable your team to safeguard your applications against emerging threats, ensuring the integrity of your software delivery.
For more information, see View Vulnerability Scan Results.
Note: Our price list provides comprehensive details about the costs associated with our various products and services. IONOS offers an enhanced add-on service, which operates on a pay-as-you-go model similar to our basic container registry. This means that the cost will scale according to your usage, providing you with the flexibility to control your expenses. For more information, see price list.
Note: While we strive to provide accurate and up-to-date vulnerability information, it's important to note that the scanning results are contingent on the contents of third-party, market-leading vulnerability database(s). IONOS is not responsible for any missing definitions or inaccuracies in the database.
1. To add Vulnerability Scanning to a Container Registry, go to Menu > Containers > Container Registry.
2. In the Container Registry Manager, select the Container Registry you want to enable Vulnerability Scanning for.
3. Navigate to the Properties section and click on Enable in the Vulnerability Scanning area.
4. Confirm the action to enable Vulnerability Scanning.