Factors to Consider in Container Registry Evaluation

Container registries store and manage container images and related artifacts. Although container orchestration gets "royal" coverage, container registries hold the "keys to the kingdom" . They act as trusted intermediaries between development and runtime environments for containerized applications. Organizations that build and deploy container-native applications need to choose various tools to build, run and manage containers in production. Common requirements include: Container orchestration Infrastructure automation Container security (vulnerability scanning, policy management, etc.) Monitoring, distributed tracing and observability Service mesh, application proxy, API gateways Container registries  This blog post will focus on the last requirement - container registries. Container images are the basic artifacts used to deploy applications in a containerized environment. Specifications for how container images are cataloged in a registry and which protocol is used to communicate with the registry have been standardized, making container registries seem like a commodity purchase. Since most application delivery platforms and cloud providers offer a container registry, organizations lack a checklist and framework to make a conscious choice. What factors should you consider in selecting a container registry? Treat this as an initial list of considerations. Feel free to customize this checklist and leave comments about what you prioritized. This can help your peers. What are some categories of container registry providers? There are three primary categories of container registry providers to choose from: Cloud service providers  As you can expect, cloud service providers make it easy to integrate their container registry offerings with their own application runtime services. For example, AWS ECR (Elastic Container Registry) integrates with AWS EKS / ECS / Fargate, Azure Container Registry with Azure AKS, Service Fabric, and Google Container Registry with GKE. The pricing is usually based on consumption - i.e. unit of storage consumed per month and data transfer fees ( egress charges). Open source tools Harbor  graduated as a CNCF project this year. Harbor is an open source registry that secures artifacts with policies and role-based access control, scans images for vulnerabilities, and signs images as trusted.  Harbor has a growing community of users and partners. Red Hat open sourced Quay (Project Quay) in late 2019. Quay is a container image registry that enables you to build, organize, distribute, and deploy containers. Project Quay includes Clair, a container security scanning tool. ISV provided container registries   Some representative providers below -- by no means is this an exhaustive list. GitLab Container Registry GitHub Container Registry JFrog Container Registry Mirantis Secure Registry (formerly Docker Trusted Registry) Red Hat Quay is available with OpenShift or as a standalone component Finally, what use cases does a container registry enable? Infrastructure-as-code Innersourcing Distributed agile teams – consistent, secure and trusted source for shared container images Security and governance for third-party software Consistency, Scalability and Reliability across remote sites Note: Some providers aim to generalize container registries to support other artifacts and packages. Others aim to offer a  specialization of a generic artifact registry as a container registry. This is out of scope for this blog post.