Protecting Container Registry resources with context-based restrictions
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to IBM Cloud® Container Registry resources can be controlled with context-based restrictions and identity and access management (IAM) policies.
These restrictions work with traditional IAM policies, which are based on identity, to provide another layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Because both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. See What are context-based restrictions? for more information.
A user must have the Administrator role on the Container Registry service to create, update, or delete rules. A user must also have either the Editor or Administrator role for context-based restrictions to create, update, or delete network zones. A user with the Viewer role for the context-based restrictions can add network zones to a rule.
Any IBM Cloud Activity Tracker, IBM Cloud Logs, or audit log events generated come from the context-based restrictions, not Container Registry. For more information, see Monitoring context-based restrictions.
As of 28 March 2024, the IBM Cloud Activity Tracker service is deprecated and will no longer be supported as of 30 March 2025. Customers will need to migrate to IBM Cloud Logs before 30 March 2025. During the migration period, customers can use IBM Cloud Activity Tracker along with IBM Cloud Logs. Activity tracking events are the same for both services. For more information about migrating from IBM Cloud Activity Tracker to IBM Cloud Logs and running the services in parallel, see migration planning.
Container Registry is a service that is integrated with context-based restrictions. For more information, see Services that are integrated with context-based restrictions.
To find out how to protect your Container Registry resources with context-based restrictions, see the Leveraging context-based restrictions to secure your resources tutorial.
How Container Registry integrates with context-based restrictions
You can create context-based restrictions for IBM Cloud Container Registry resources or for specific APIs. With context-based restrictions, you can protect resources, see Protecting specific resources.
Protecting specific resources
When you set up context-based restrictions, the restrictions apply to everything for the selected service in the account unless you select a subset of resources. Container Registry supports the following subset of resources: resource type = namespace
and resource id = YOUR_IMAGE_NAMESPACE
, where YOUR_IMAGE_NAMESPACE
is the namespace of your image. For more information about rules, see Creating rules.
For example, if your image is in the format uk.icr.io/<my_project>/<my_image>:latest
, where <my_project>
is the name of your project and <my_image>
is the name of the image, the
attribute types are as shown in the following table.
Attribute type | Operator | Value |
---|---|---|
Region |
string equals |
London |
Resource Type |
string equals |
namespace |
Resource Name |
string equals |
<my_project> |
The Resource Name value is a namespace, as shown by the ibmcloud cr namespace-list
command.
Limitations
Context-based restrictions protect only the actions that are associated with the IBM Cloud Container Registry API and the Vulnerability Advisor 4 for IBM Cloud Container Registry API. Actions that are associated with the following platform APIs are not protected by context-based restrictions. Reference the API docs for the specific action IDs.
Creating rules
Define restrictions to Container Registry resources by creating rules.
Creating rules in the IBM Cloud console
To create rules in the IBM Cloud console, see Creating rules. When you are asked to select a service, select Container Registry. You can protect all resources, or specific resources, see Protecting specific resources.
The following attribute types for specific resources are available in the IBM Cloud console:
Region
Resource Type
Resource Name
Creating rules by using the CLI
- To create rules from the CLI, install the context-based restrictions CLI plug-in.
- You can use the
ibmcloud cbr rule-create
command to create rules for context-based restrictions. For more information, see Creating rules by using the CLI.
The following example creates a rule that targets the Container Registry service and allows access to your namespace my_namespace
only over the private network in us-south
.
ibmcloud cbr rule-create --description 'Only allow access to my_namespace over the private network' --service-name container-registry --context-attributes endpointType=private --resource-attributes resourceType=namespace,resource=my_namespace --region=us-south
Creating rules by using the API
To create rules in the API, see the API docs and Creating rules by using the API.
After you create a rule, it might take up to 10 minutes to before you can update that rule due to IAM TTL response caching.
Setting up region-based policies for context-based restrictions
For all regions other than global
you can use the region field when you create a rule. So for example, in the CLI for us-south
you use the --region us-south
option. However, because global
is a geography and not a region you must omit the --region
option and add geography=global
into the --resource-attributes
field.
The following example shows the command in us-south
, where <description>
is the description, <accountId>
is your IBM Cloud account ID, <namespace>
is the namespace, and <networkZoneId>
is the network zone ID:
ibmcloud cbr rule-create --description "<description>" --resource-attributes "accountId=<accountId>,serviceName=container-registry,resourceType=namespace,resource=<namespace>" --context-attributes networkZoneId=<networkZoneId> --output json --region us-south
The following example shows the command in global
, where <description>
is the description, <accountId>
is your IBM Cloud account ID, <namespace>
is the namespace, and <networkZoneId>
is the network zone ID:
ibmcloud cbr rule-create --description "<description>" --resource-attributes "accountId=<accountId>,serviceName=container-registry,resourceType=namespace,resource=<namespace>,geography=global" --context-attributes networkZoneId=<networkZoneId>