Protecting Container Registry resources with context-based restrictions
Context-based restrictions give account owners and administrators the ability to define and enforce access restrictions for IBM Cloud® resources based on the context of access requests. Access to IBM Cloud® Container Registry resources can be controlled with context-based restrictions and identity and access management (IAM) policies.
These restrictions work with traditional IAM policies, which are based on identity, to provide another layer of protection. Unlike IAM policies, context-based restrictions don't assign access. Context-based restrictions check that an access request comes from an allowed context that you configure. Because both IAM access and context-based restrictions enforce access, context-based restrictions offer protection even in the face of compromised or mismanaged credentials. See What are context-based restrictions? for more information.
A user must have the Administrator role on the Container Registry service to create, update, or delete rules. A user must also have either the Editor or Administrator role for context-based restrictions to create, update, or delete network zones. A user with the Viewer role for the context-based restrictions can add network zones to a rule.
Any IBM Cloud Activity Tracker or audit log events generated come from the context-based restrictions, not Container Registry. For more information, see Monitoring context-based restrictions.
Container Registry is a service that is integrated with context-based restrictions. For more information, see Services that are integrated with context-based restrictions.
To find out how to protect your Container Registry resources with context-based restrictions, see the Leveraging context-based restrictions to secure your resources tutorial.
How Container Registry integrates with context-based restrictions
You can create context-based restrictions for IBM Cloud Container Registry resources or for specific APIs. With context-based restrictions, you can protect resources, see Protecting specific resources.
Protecting specific resources
When you set up context-based restrictions, the restrictions apply to everything for the selected service in the account unless you select a subset of resources. Container Registry supports the following subset of resources: resource type = namespace and resource id = YOUR_IMAGE_NAMESPACE, where YOUR_IMAGE_NAMESPACE is the namespace of your image. For more information about rules, see Creating rules.
For example, if your image is in the format uk.icr.io/<my_project>/<my_image>:latest, where <my_project> is the name of your project and <my_image> is the name of the image, the
attribute types are as shown in the following table.
| Attribute type | Operator | Value |
|---|---|---|
Region |
string equals |
London |
Resource Type |
string equals |
namespace |
Resource Name |
string equals |
<my_project> |
The Resource Name value is a namespace, as shown by the ibmcloud cr namespace-list command.
Limitations
Context-based restrictions protect only the actions that are associated with the IBM Cloud Container Registry API and the Vulnerability Advisor 4 for IBM Cloud Container Registry API. Actions that are associated with the following platform APIs are not protected by context-based restrictions. Reference the API docs for the specific action IDs.
Creating rules
Define restrictions to Container Registry resources by creating rules.
Creating rules in the IBM Cloud console
To create rules in the IBM Cloud console, see Creating rules. When you are asked to select a service, select Container Registry. You can protect all resources, or specific resources, see Protecting specific resources.
The following attribute types for specific resources are available in the IBM Cloud console:
RegionResource TypeResource Name
Creating rules by using the CLI
- To create rules from the CLI, install the context-based restrictions CLI plug-in.
- You can use the
ibmcloud cbr rule-createcommand to create rules for context-based restrictions. For more information, see Creating rules by using the CLI.
The following example creates a rule that targets the Container Registry service and allows access to your namespace my_namespace only over the private network in us-south.
ibmcloud cbr rule-create --description 'Only allow access to my_namespace over the private network' --service-name container-registry --context-attributes endpointType=private --resource-attributes resourceType=namespace,resource=my_namespace --region=us-south
Creating rules by using the API
To create rules in the API, see the API docs and Creating rules by using the API.
After you create a rule, it might take up to 10 minutes to before you can update that rule due to IAM TTL response caching.