TechLead
Lesson 23 of 25
5 min read
Cloud & Kubernetes

Container Registries

Understand container registries (ECR, GCR, ACR, GHCR, Docker Hub), image management, security scanning, and registry best practices

What is a Container Registry?

A container registry is a repository for storing and distributing container images. It serves as the central hub in the container lifecycle — developers push built images to the registry, and Kubernetes pulls images from the registry to run as containers. Choosing and configuring the right registry is critical for security, performance, and reliability.

Popular Container Registries

  • Docker Hub: Public/private repos. Free tier with rate limits. Most popular for open source.
  • GitHub Container Registry (GHCR): Integrated with GitHub. Free for public images. Great for GitHub-based workflows.
  • AWS ECR: Fully managed, integrates with EKS/ECS. Supports cross-region and cross-account replication.
  • Google Artifact Registry: Successor to GCR. Integrates with GKE. Supports multi-format artifacts.
  • Azure ACR: Integrates with AKS. Supports geo-replication and content trust.

Docker Hub

# Login to Docker Hub
docker login

# Build and push
docker build -t myuser/my-app:1.0.0 .
docker push myuser/my-app:1.0.0

# Tag an image
docker tag my-app:latest myuser/my-app:1.0.0
docker tag my-app:latest myuser/my-app:latest

# Pull an image
docker pull myuser/my-app:1.0.0

GitHub Container Registry (GHCR)

# Login to GHCR
echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin

# Build and push
docker build -t ghcr.io/myorg/my-app:1.0.0 .
docker push ghcr.io/myorg/my-app:1.0.0

# Pull from GHCR
docker pull ghcr.io/myorg/my-app:1.0.0

AWS Elastic Container Registry (ECR)

# Create an ECR repository
aws ecr create-repository \
  --repository-name my-app \
  --image-scanning-configuration scanOnPush=true \
  --encryption-configuration encryptionType=AES256

# Login to ECR
aws ecr get-login-password --region us-east-1 | \
  docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-east-1.amazonaws.com

# Build, tag, and push
docker build -t my-app .
docker tag my-app:latest 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:1.0.0
docker push 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:1.0.0

# Set lifecycle policy (auto-delete old images)
aws ecr put-lifecycle-policy --repository-name my-app --lifecycle-policy-text '{
  "rules": [{
    "rulePriority": 1,
    "description": "Keep only last 10 images",
    "selection": {
      "tagStatus": "any",
      "countType": "imageCountMoreThan",
      "countNumber": 10
    },
    "action": {
      "type": "expire"
    }
  }]
}'

# Scan an image for vulnerabilities
aws ecr start-image-scan \
  --repository-name my-app \
  --image-id imageTag=1.0.0

# Get scan results
aws ecr describe-image-scan-findings \
  --repository-name my-app \
  --image-id imageTag=1.0.0

Google Artifact Registry

# Create a repository
gcloud artifacts repositories create my-app \
  --repository-format=docker \
  --location=us-central1 \
  --description="My application images"

# Configure Docker authentication
gcloud auth configure-docker us-central1-docker.pkg.dev

# Build and push
docker build -t us-central1-docker.pkg.dev/my-project/my-app/api:1.0.0 .
docker push us-central1-docker.pkg.dev/my-project/my-app/api:1.0.0

# List images
gcloud artifacts docker images list us-central1-docker.pkg.dev/my-project/my-app

Image Tagging Strategy

Tagging Best Practices

  • Semantic Versioning: Use tags like 1.0.0, 1.0.1, 1.1.0 for release tracking
  • Git SHA: Tag with the commit SHA (abc123f) for exact traceability
  • Never Use :latest in Production: It is mutable and makes rollbacks impossible
  • Immutable Tags: Enable immutable tags in ECR/GCR to prevent tag overwriting
  • Multi-tag: Tag each image with both version and SHA (myapp:1.0.0, myapp:abc123f)

Kubernetes Image Pull Configuration

# deployment-with-registry.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  template:
    spec:
      containers:
      - name: app
        image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:1.0.0
        imagePullPolicy: IfNotPresent  # Always, IfNotPresent, Never
      imagePullSecrets:
      - name: registry-credentials    # For private registries

Key Takeaways

  • Use cloud-provider registries (ECR, GCR, ACR) for seamless K8s integration
  • Enable image scanning to detect vulnerabilities before deployment
  • Never use :latest tags in production — use immutable semver or SHA tags
  • Set up lifecycle policies to automatically clean up old images
  • Use imagePullSecrets for private registries and Workload Identity where possible

Continue Learning

Docker & DevOps

Container fundamentals and CI/CD workflows

System Design

Design scalable cloud-native systems

Cybersecurity

Secure your cloud infrastructure

Performance Engineering

Optimize cloud workloads and costs

Data Engineering

Cloud-based data pipelines