IBM Cloud Container Registry architecture and workload
IBM Cloud® Container Registry is a multi-tenant, highly available, scalable, and encrypted private image registryA storage and distribution service that contains public or private images that are used to create containers. that's hosted and managed by IBM.
Both the control plane (management of images and configuration) and data plane (pushing and pulling your images) are multi-tenant. All parts of the service are hosted in an IBM service account, which is not shared with users or other services.
In each regional instance of the registry, the service runs in three physically separate data centers to ensure availability. All data and the configuration for each instance of the registry is retained within the region in which it is hosted. The global instance is also hosted in physically separate data centers. The data centers might not be in the same region as each other. For more information about regions, see Regions.
IBM Cloud Container Registry runs in IBM Cloud Kubernetes Service clusters, and uses IBM Cloud Object Storage to store images. Image data in IBM Cloud Object Storage is encrypted at rest.
Segmentation of data
Segmentation of data within IBM Cloud Container Registry is achieved by using private namespacesA collection of repositories that store images in a registry. A namespace is associated with an IBM Cloud account, which can include multiple namespaces., which are strictly owned by single accounts.
You can control access to namespaces within the account by using Cloud Identity and Access Management (IAM) access policies. Storage in IBM Cloud Object Storage is not segmented, but user accounts do not have direct access to the IBM Cloud Object Storage that contains the image data. For more information, see Managing IAM access for IBM Cloud Container Registry.
All traffic to the registry, and from the service to IBM Cloud Container Registry dependencies is encrypted in transit. No additional network-level segmentation of traffic is provided. The control plane and data plane are not separated from each other.
Private connections
You can decide whether your data plane interactions use private connections. Additionally, you can choose to prohibit public data plane connections for your account.
The flow of all customer data between IBM Cloud Container Registry and its dependencies uses private network connections. For more information about private connections, see Securing your connection to IBM Cloud Container Registry.