Beta

Kubernetes and Cloud Native Security Associate (KCSA)

Platform Security

Image Repository Security

In this lesson, you’ll learn how to secure container images by:

  • Understanding image naming conventions
  • Working with secure image registries
  • Configuring Pods to pull from private repositories

Previously, we deployed Pods running web apps, databases, and caches. Let’s begin with a simple Pod definition that uses the official nginx image:

apiVersion: v1
kind: Pod
metadata:
  name: nginx-pod
spec:
  containers:
    - name: nginx
      image: nginx

Understanding Image Names

Docker interprets image: nginx as library/nginx under the hood. The full naming convention is:

[registry]/[user-or-namespace]/[repository]:[tag]
  • Omit the registry → defaults to Docker Hub (docker.io)
  • Omit the namespace → defaults to library (the official account)

Note

Specifying:

image: library/nginx

is equivalent to:

image: docker.io/library/nginx

You can also pull from other public registries. For example, Google’s registry hosts Kubernetes test images:

image: gcr.io/kubernetes-e2e-test-images/dnsutils

Common Public Registries

RegistryURLUse Case
Docker Hubdocker.ioDefault public images
Google Artifact Registrygcr.ioGoogle-hosted Kubernetes images
Quay.ioquay.ioCI/CD and enterprise images

Using a Private Registry

For in-house applications, you can host your own registry or use a managed solution:

ProviderLink
AWS ECRhttps://aws.amazon.com/ecr/
Azure Container Registryhttps://azure.microsoft.com/services/container-registry/
Google Artifact Registryhttps://cloud.google.com/artifact-registry

To pull from a private registry, follow these steps:

  1. Authenticate locally (for pushing and testing)

    docker login private-registry.io
# Username: registry-user
# Password: ********
# WARNING! Your password will be stored unencrypted in ~/.docker/config.json.
# Login Succeeded

    Warning

    Avoid committing ~/.docker/config.json to version control.
    Store credentials securely (e.g., using a secrets manager).

  2. Create a Kubernetes Secret of type docker-registry so worker nodes can pull the image:

    kubectl create secret docker-registry regcred \
  --docker-server=private-registry.io \
  --docker-username=registry-user \
  --docker-password=registry-password \
  [email protected]

  3. Reference the Secret in your Pod spec under imagePullSecrets:

    apiVersion: v1
kind: Pod
metadata:
  name: internal-app-pod
spec:
  containers:
    - name: internal-app
      image: private-registry.io/apps/internal-app
  imagePullSecrets:
    - name: regcred

    When this Pod is scheduled, the kubelet uses the Secret to authenticate and pull the private image.

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
Supply Chain Security Scan images for known vulnerabilities
Next
Observability Overview