Release notes for Container Registry

To ensure continued worldwide performance for global registry (icr.io) in IBM Cloud® Container Registry, a content delivery network (CDN) is being enabled that means that you might have to adjust your firewall settings. If you need to adjust your firewall settings, you must adjust them by 4 September 2024.

For more information, see Important firewall changes from 4 September 2024 for users that pull IBM Cloud Container Registry images from global (icr.io).

Vulnerability Advisor version 3 is discontinued.

For more information about how to update to Vulnerability Advisor version 4, see Vulnerability Advisor version 3 is being discontinued on 13 November 2023.

Vulnerability Advisor version 3 is being discontinued on 13 November 2023. If you have version 3 set as the default, you must update to Vulnerability Advisor version 4 by 13 November 2023. If you are already using version 4, no action is required.

For more information about how to update to version 4, see Vulnerability Advisor version 3 is being discontinued on 13 November 2023.

The following IBM Cloud Container Registry commands now have an output option for JSON format:

• ibmcloud cr exemption-add
• ibmcloud cr exemption-list
• ibmcloud cr exemption-types
• ibmcloud cr image-list
• ibmcloud cr namespace-list
• ibmcloud cr plan
• ibmcloud cr quota
• ibmcloud cr retention-policy-list

For more information about the IBM Cloud Container Registry commands, see IBM Cloud Container Registry CLI

The --json option is replaced with the --output json option in the following commands:

• ibmcloud cr image-digests
• ibmcloud cr image-prune-untagged
• ibmcloud cr image-retention-run
• ibmcloud cr trash-list

For more information about the IBM Cloud Container Registry commands, see IBM Cloud Container Registry CLI

The Vulnerability Advisor component of IBM Cloud® Container Registry is being updated.

Vulnerability Advisor version 3 is being deprecated as the default on 19 June 2023. From 19 June 2023, the default will be Vulnerability Advisor version 4. If you have version 3 set as the default, you can continue to use version 3 until the end of support date. An end of support date is not available yet.

For more information, see Update Vulnerability Advisor to version 4 by 19 June 2023.

Virtual private endpoints are changing.

On 11 November 2022, virtual private endpoints (VPEs) for IBM Cloud Container Registry are being updated and the existing VPE version is being deprecated on 15 December 2022. If you use Container Registry VPE gateways, you must create new VPE gateways and remove your VPE gateways that were created before 11 November 2022 at the earliest opportunity so that you pick up these changes. VPE gateways that were created before 11 November 2022 are deprecated and will not work after 15 December 2022.

If you create a new Container Registry VPE gateway after 11 November 2022 and also use Cloud Identity and Access Management (IAM) restricted IP address lists, you must ensure that your restricted IP address list contains the Cloud Service Endpoint (CSE) source IP addresses of the VPCs in which your Container Registry VPE gateways exist. This requirement is related to a previous change to how Container Registry works over the private network that the new VPE version also uses, see Container Registry private IP addresses changed on 5 July 2022.

For more information, see Changes to Container Registry VPE gateways from 11 November 2022.

The IBM Cloud Container Registry private IP addresses that were replaced on 5 July 2022 are being decommissioned on 15 December 2022.

IP addresses for accessing Container Registry over the private network changed on 5 July 2022, see Container Registry private IP addresses changed on 5 July 2022. You continue to be able to use these old IP addresses, but they are due to be decommissioned on 15 December 2022. After this date, you will not be able to access Container Registry by using these IP addresses.

For more information, see Changes to private IP addresses from 15 December 2022.

A new version, version 1.0.0, of the Container Registry CLI plug-in is available. To update the version of your Container Registry CLI plug-in, see Updating the container-registry CLI plug-in.

Version 1.0.0 includes Vulnerability Advisor 4.

In version 1.0.0, the ibmcloud cr image-list and ibmcloud cr image-digests commands no longer include security status by default. To include security status, you can either add the --va option to the command, or use the ibmcloud cr va command to query the security status for an individual image.

For more information, see Container Registry CLI stops returning security status results in lists by default from version 1.0.0.

All releases of version 0.1 of the Container Registry CLI plug-in are deprecated. You can continue to use releases of version 0.1, but version 1.0.0 is available for you to use. Version 0.1 will continue to be updated with any required updates until 15 September 2023. To update the version of your CLI plug-in, see Updating the container-registry CLI plug-in.

From Container Registry plug-in 1.0.0, you can choose whether to use Vulnerability Advisor version 3 or version 4 to run your commands. Vulnerability Advisor 4 is available from version 1.0.0 of the Container Registry plug-in. Vulnerability Advisor 3 is the default.

If you want to continue to use version 3, you don't need to do anything.

If you want to use version 4 to run the ibmcloud cr va, ibmcloud cr image-list, or ibmcloud cr image-digests commands, see Setting the version of Vulnerability Advisor.

For more information about Vulnerability Advisor, see About Vulnerability Advisor. For more information about Vulnerability Advisor API 4, see Vulnerability Advisor 4 for IBM Cloud Container Registry.

From Container Registry plug-in 1.0.0, you can use new commands to check and set Vulnerability Advisor versions.

If you want to continue to use version 3, you don't need to do anything.

If you want to use version 4, you can set the version by running the ibmcloud cr va-version-set command.

For more information about setting the version by using the ibmcloud cr va-version-set command, see ibmcloud cr va-version-set and Setting the version of Vulnerability Advisor.

To find out which version of Vulnerability Advisor that you're running, see ibmcloud cr va-version.

From IBM Cloud Container Registry CLI plug-in version 1.0.0, when you use the ibmcloud cr image-list and ibmcloud cr image-digests commands to list images, they return Vulnerability Advisor security status results only if you use the --va option.

If you want to continue to receive security status with your lists, prepare to upgrade by adding the new --va option to your commands.

For more information, see Container Registry CLI stops returning security status results in lists by default from version 1.0.0.

You can use context-based restrictions to define and enforce access restrictions for IBM Cloud resources based on the network location of access requests.

For more information, see Protecting Container Registry resources with context-based restrictions.

If you're using Cloud Identity and Access Management (IAM) restricted IP address lists and you are connecting to Container Registry over the private network, your lists of allowed IP addresses must now include the private subnet and IP addresses of your own hosts. The IBM Cloud Container Registry private IP addressees also changed. This change also affects you if you have allowlists or a firewall rule.

For more information, see Container Registry private IP addresses changed on 5 July 2022 and Using IAM IP address access restrictions.

To access IBM Cloud Container Registry, you must be using Cloud Identity and Access Management (IAM) access policies. You must ensure that you are using IAM access policies to manage access to the Container Registry service.

Policy-free authorization is discontinued in the following Container Registry regions:

• us-south (us.icr.io)
• uk-south (uk.icr.io)
• eu-central (de.icr.io)
• ap-south (au.icr.io)
• ap-north (jp.icr.io)

Other regions are unaffected because they already require IAM access policies for all accounts.

For more information, see IAM access policies are required from 5 July 2022 and Defining IAM access policies.

If you're using Cloud Identity and Access Management (IAM) restricted IP address lists and you're connecting to Container Registry over the private network in the br-sao and ca-tor regions, your lists of allowed IP addresses must now include the private subnet and IP addresses of your own hosts. The IBM Cloud Container Registry private IP addressees also changed. This change also affects you if you have allowlists or a firewall rule. Other regions are not affected yet.

For more information, see Container Registry private IP addresses changed on 5 July 2022 and Using IAM IP address access restrictions.

By 23 June 2022, if you're using Cloud Identity and Access Management (IAM) restricted IP address lists and you're connecting to Container Registry over the private network, you must update your lists of allowed IP addresses to include the private subnet and IP addresses of your own hosts. The IBM Cloud Container Registry private IP addressees are also changing, which might require updates to your firewall configuration.

For more information, see Container Registry private IP addresses changed on 5 July 2022.

From 5 July 2022, to access IBM Cloud Container Registry, you must be using Cloud Identity and Access Management (IAM) access policies. If you started to use Container Registry before the availability of IAM API key policies in Container Registry in February 2019, you must now ensure that you're using IAM access policies to manage access to the Container Registry service.

Policy-free authorization will be discontinued in the following Container Registry regions:

• us-south (us.icr.io)
• uk-south (uk.icr.io)
• eu-central (de.icr.io)
• ap-south (au.icr.io)
• ap-north (jp.icr.io)

Other regions are unaffected because they already require IAM access policies for all accounts.

For more information, see IAM access policies are required from 5 July 2022 and Defining IAM access policies.

From 2 February 2022, all regions require separate exemption policy management. Exemption policies are used to exclude any matching vulnerabilities or configuration issues from Vulnerability Advisor reports. You can set an exemption policy by running the ibmcloud cr exemption-add command, see Setting organizational exemption policies.

For more information, see IBM Cloud Container Registry Is Ending Exemption Synchronization Across Regions.

From 1 February 2022, IBM Cloud Container Registry is charging for the storage that is used by untagged images. To reduce the amount that you're charged, you can clean up your namespaces by deleting untagged images. You can also free up used storage and change service plans or quota limits to stay within given quota limits.

For more information, see Starting 1 February 2022, IBM Cloud Container Registry will be billing for the storage that is used by untagged images.

You can view Activity Tracker events for Red Hat Signing operations.

For more information, see Auditing events for Container Registry.

As a security or compliance focal, you can use the Govern resources section of the Security and Compliance Center dashboard to define configuration rulesA JSON document that defines the configuration of resources and validates the compliance based on security requirements when a resource is created or modified. for Container Registry.

For more information, see Managing security and compliance for Container Registry.

The Notary v1 service that supports Docker Content Trust and docker trust commands in Container Registry is discontinued from 1 November 2021.

Container Registry supports the Red Hat Signing model. For more information, see Signing images for trusted content by using Red Hat signatures.

The ibmcloud cr build command is discontinued from 5 October 2021. You can use Tekton pipelines instead.

For more information, see IBM Cloud Container Registry is Deprecating Container Builds or Container Registry is deprecating container builds - act by 6 September 2021.

The Notary v1 service for signing images is deprecated. It is being removed from Container Registry on 31 August 2021.

As an alternative approach, Container Registry supports the Red Hat Signing model. For more information, see Signing images for trusted content by using Red Hat signatures.

With effect from 19 November 2020, Container Image Security Enforcement is deprecated. To enforce container image security, you can use Portieris. You can use Portieris to control where images are deployed from, enforce Vulnerability Advisor policies, and ensure that content trust is properly applied to the image.

For more information, see Enforcing container image security by using Portieris.

You can use the ibmcloud cr platform-metrics command to enable and disable platform metrics, and to find out whether you have platform metrics set up on your account.

For more information, see Monitoring metrics for IBM Cloud Container Registry.

The ibmcloud cr build command, which builds an image in IBM Cloud and pushes it to Container Registry, is deprecated from 6 October 2020. You can use Tekton pipelines instead.

For more information, see IBM Cloud Container Registry is Deprecating Container Builds.

When you want to set up an exemption policy, you can set the scope by namespace, repository, digest, or tag. You can set an exemption policy by running the ibmcloud cr exemption-add command.

For more information, see Setting organizational exemption policies.

From 12 August 2020, UAA tokens are no longer accepted for authentication. At the moment, registry tokens continue to be accepted, but their use is deprecated.

For more information, see Announcing End of IBM Cloud Container Registry Support for UAA Tokens.

If you want to manage your Vulnerability Advisor exemption policies for security issues, depending on the task that you want to complete, you might have to update your access role.

For more information, see Access roles for configuring Container Registry.

Namespaces are created in resource groups so that access to resources within a namespace can be configured at the resource group level. If a namespace isn't already in a resource group, you can assign the namespace to a resource group.

• Namespaces created in version 0.1.485 of the Container Registry CLI or later, or in the IBM Cloud console on or after 29 July 2020, are created in a resource group that you specify so that you can configure access to resources within the namespace at the resource group level. However, you can still set permissions for the namespace at the account level or in the namespace itself. For more information, see Set up a namespace and ibmcloud cr namespace-add.

• Namespaces created in version 0.1.484 of the Container Registry CLI or earlier, or in the IBM Cloud console before 29 July 2020 aren't assigned to resource groups. You can assign an existing namespace to a resource group so that you can configure access to resources within a namespace at the resource group level. For more information, see Assigning existing namespaces to resource groups and ibmcloud cr namespace-assign.

• You can find out which namespaces are assigned to resource groups and which are unassigned by running the ibmcloud cr namespace-list command with the -v option.

When you want to restore an image, you can restore either by tag or by digest. Restoring by digest restores the digest and all its tags in the repository that aren't already in the live repository. You can restore an image by running the ibmcloud cr image-restore command.

For more information, see Restoring images.

Retention policies now include untagged images by default when they calculate what to retain. You can use the retain-untagged option for the ibmcloud cr retention-policy-set and ibmcloud cr retention-run commands to keep all untagged images and delete only tagged images. You can view the value of retain-untagged for each retention policy by running the ibmcloud cr retention-policy-list command.

For more information, see Cleaning up your namespaces.

The ibmcloud cr image-prune-untagged command deletes all untagged images in your Container Registry account.

For more information, see ibmcloud cr image-prune-untagged and Clean up your namespaces by deleting untagged images.

If you use cloud-based services for production workloads, you can use a secure private connection so that you can ensure that you adhere to any compliance regulations. You can use IBM Cloud service endpoints to connect to IBM Cloud services over the private IBM Cloud network.

For more information, see Securing your connection to Container Registry and IBM Cloud Container Registry architecture and workload.

You can use the ibmcloud cr private-only command to prevent image pulls or pushes over public network connections for your account.

For more information, see ibmcloud cr private-only.

The use of UAA and Container Registry tokens is deprecated. From 12 August 2020, UAA tokens are not accepted for authentication.

For more information, see Announcing End of IBM Cloud Container Registry Support for UAA Tokens.

The ibmcloud cr image-digests command displays all images in your account, including untagged images.

For more information, see ibmcloud cr image-digests.

Container Registry now supports Red Hat signatures.

For more information, see Signing images for trusted content by using Red Hat® signatures.

The ibmcloud cr manifest-inspect command displays the contents of the manifest for an image.

For more information, see ibmcloud cr manifest-inspect.

Image retention policies retain the specified number of images for each repository within a namespace in Container Registry. All other images in the namespace are deleted.

The following commands are available for you to use to create retention policies so that you can manage your images:

• The ibmcloud cr retention-policy-set command sets up a policy for retaining images for each repository within a namespace.
• The ibmcloud cr retention-policy-list command lists the image retention policies for your account.

For more information, see Retaining images.

All deleted images are stored in the trash for 30 days.

The following commands are available for you to use to restore images:

• The ibmcloud cr trash-list command displays all images in the trash in your IBM Cloud account. Images remain in the trash for 30 days after deletion.
• The ibmcloud cr image-restore command restores a deleted image from the trash.

For more information, see Listing images in the trash and Restoring images.

The ibmcloud cr retention-run command cleans up your namespaces by retaining images for each repository within a namespace in Container Registry by applying specified criteria. All other images in the namespace are deleted.

For more information, see ibmcloud cr retention-run and Retaining images.

Use the IBM Cloud Activity Tracker service to track how users and applications interact with the Container Registry service in IBM Cloud.

For more information, see Auditing events for Container Registry.

Remove a tag, or tags, from each specified image in Container Registry. To remove a specific tag from an image and leave the underlying image and any other tags in place, use the ibmcloud cr image-untag command. If you want to delete the underlying image, and all its tags, use the ibmcloud cr image-rm command instead.

For more information, see Removing tags from images in your private repository.

Use the IBM Cloud Activity Tracker service to track how users and applications interact with the Container Registry service in IBM Cloud.

For more information, see Auditing events for Container Registry.

Container Registry is adopting new domain names. The new domain names are available in the IBM Cloud console and the CLI. You can use the new icr.io domain names now. The existing registry.bluemix.net domain names are deprecated, but you can continue to use them until the end of support date. An end of support date is not available yet.

For more information, see Regions and Introducing New IBM Cloud Container Registry Domain Names.

Signatures apply to the whole image name, which includes the domain name. If you're using content trust, you must add new signatures so that you can use content trust under the new domain name.

For more information about signing images, see Signing images for trusted content.

The new cluster image pull secrets for the icr.io domains are authorized by using an Cloud Identity and Access Management (IAM) API key. Therefore, if you want more control over access to your Container Registry resources, you can add IAM access policies. For example, you can change the API key policies in the cluster's pull secret so that images are pulled from a certain registry region or namespace only.

For more information, see Understanding how to authorize your cluster to pull images from a registry.

A new region is available in ap-north. You can use the new region by using the domain name jp.icr.io.

For more information, see Regions.

Using tokens to automate pushing and pulling Docker images to and from your namespaces is deprecated. You must now use API keys to automate access to your Container Registry namespaces so that you can push and pull images.

For more information, see Creating a user API key manually.

Use IBM Cloud Identity and Access Management (IAM) to control access by users in your account to Container Registry. When IAM access policies are enabled for your account in Container Registry, every user that accesses the service in your account must be assigned an IAM access policyA method for granting users, service IDs, and access groups access to account resources. An access policy includes a subject, target, and role. with an IAM user role defined. That policy determines the role that the user has within the context of the service, and what actions the user can perform.

For more information, see Managing IAM access with Cloud Identity and Access Management, Defining IAM access policies, and Granting access to Container Registry resources tutorial.

If you want to manage the security of an IBM Cloud organization, you can use your policy setting to determine whether an issue is exempt or not. You can use Portieris to ensure that deployment is allowed only from images that contain no security issues after accounting for any issues that are exempted by your policy.

For more information, see Setting organizational exemption policies.

Use the IBM Cloud Activity Tracker service to track how users and applications interact with the Container Registry service in IBM Cloud.

For more information, see Auditing events for Container Registry.

Version 3 of the API changes the behavior of the API endpoints that are used to list exemptions. You must check that your use of the API does not rely on the behavior of version 2.

For more information, see Vulnerability Advisor for IBM Cloud Container Registry.

Container Registry provides trusted content technology so that you can sign images to ensure the integrity of images in your registry namespace. By pulling and pushing signed images, you can verify that your images were pushed by the correct party, such as your continuous integration (CI) tools.

For more information, see Signing images for trusted content.

A global registry is available. The global registry domain name doesn't include a region (icr.io). Only public images that are provided by IBM are hosted in this registry.

For more information, see Global registry.

The ibmcloud cr build command is now available for running container builds. You can build a Docker image directly in IBM Cloud or create your own Docker image on your local computer and upload (push) it to your namespace in Container Registry.

For more information, see Building Docker images to use them with your namespace.

IBM Cloud Container Registry is available as a service in IBM Cloud. Container Registry provides a multi-tenant private image registry that you can use to store and share your container images with users in your IBM Cloud account.

For more information about how to use Container Registry, see Getting started with Container Registry.