Download to read offline
Uploaded byPhilip Welz
FestiveTechCalendar2021 - Have Yourself An Azure Container Registry
The document provides an overview of the Azure Container Registry, detailing its features such as geo-replication, security measures including customer managed keys and Microsoft Defender, and enhanced functionalities like webhooks and anonymous pull access. Additionally, it highlights future developments like Project Teleport and improvements in OCI artifacts. The presentation is part of the Festive Tech Calendar 2021, aimed at educating about the integration of Azure services with container management.
More Related Content
Similar to FestiveTechCalendar2021 - Have Yourself An Azure Container Registry
FestiveTechCalendar2021 - Have Yourself An Azure Container Registry
- 1. Have Yourself An AzureContainer Registry Festive Tech Calendar 2021
- 2. whoami • Philip Welz •Senior Kubernetes & DevOps Engineer @ white duck • Certified Kubernetes { A | AD | S } • GitOps, Kubernetes & Azure © white duck GmbH 2021 Email: Philip.Welz@whiteduck.de Twitter: @philip_welz LinkedIn: https://www.linkedin.com/in/philip-welz Blog: https://philinthe.cloud
- 3. Housekeeping • check outall the other sessions • https://festivetechcalendar.com/ • listen and watch attentively • Note the code word, fill out our form and win one of three white duck merch packages • https://festivetechcalendar.com/Home/Supporters © white duck GmbH 2021
- 4. Agenda • Overview • Resilience •Security • Enhanced Features • What’s to come © white duck GmbH 2021
- 5. Overview • fully managedand scalable container registry • based on the open-source Docker Registry 2.0 • integrates with Azure Services like Azure AD, RBAC, AKS, Azure Monitor, … • pricing based on service tier and usage • storage, build-time • SLA backed • integrates with Azure DevOps & GitHub © white duck GmbH 2021
- 6. RESILIENCE © white duckGmbH 2021
- 7. Geo-replication © white duckGmbH 2021
- 8. Zone redundancy • previewfeature • provides resiliency and high availability to a registry in a specific region • can be combined with Geo-replication, enhances both the reliability and performance of a registry • limitations • ACR Tasks doesn't yet support availability zones © white duck GmbH 2021
- 9. Zone redundancy © whiteduck GmbH 2021
- 10. SECURITY © white duckGmbH 2021
- 11. Customer managed key •supplements default encryption at rest with an additional encryption layer • integrates with Azure Key Vault • limitations • can only be enabled on creation & can't be disabled once enabled • content-trust is currently not supported © white duck GmbH 2021
- 12. Microsoft Defender forcontainer registries • part of Microsoft Defender for Cloud (former Azure Security Center) • enabled at the Subscription Level • images are scanned on push, import or on a weekly basis (any image that has been pulled within the last 30 days) • limitations • no support for Windows containers images © white duck GmbH 2021
- 13. Microsoft Defender forCloud © white duck GmbH 2021
- 14. Content-trust • #SupplyChainSecurity • enablesDocker Content-trust model to push and pull signed images • image publisher signs image with a digital signature consumers can configure their clients to pull only signed images • limitations • no AKS & ACI support © white duck GmbH 2021
- 15. Private Link • privateconnectivity to services on Azure with no public internet access • integration with on-premises and peered networks © white duck GmbH 2021
- 16. Azure Policy • auditcompliance of Azure container registries with built-in policy definitions • integrates with Azure Security Benchmark • built-in Regulatory Compliance • FedRAMP, CMMC, HIPAA HITRUST 9.2 and more © white duck GmbH 2021
- 17. ENHANCED FEATURES © whiteduck GmbH 2021
- 18. Enhanced features • Webhooks •trigger events when certain actions take place • can be tested with az acr webhook ping • Tasks • on-demand image build • automated builds by source code or base image updates • schedulable © white duck GmbH 2021
- 19. Support for furtherartifacts • WebAssembly (Wasm) modules • Open Policy Agent • Helm Charts • still experimental • Helm 3.7.0 introduces some major changes • Bicep modules (preview) • Introduced in Bicep 0.4 for private registries © white duck GmbH 2021
- 20. OCI • Open ContainerInitiative • OCI image spec • JSON manifest • OCI artifact is something • other than an image • stored in a registry • that sets a custom type in the config.mediaType field © white duck GmbH 2021
- 21. Anonymous Pull • previewfeature • enables anonymous (unauthenticated) pull access • can be disabled at any time • limitations • applies to all repositories in the registry © white duck GmbH 2021
- 22. Connected Registry • Preview •available in Asia East, EU North & West and US East • regularly synchronizes content with a cloud-based Azure container registry • operating modes: ReadWrite (default) & ReadOnly • hierarchical deployment of IoT Edge • in this architecture, the connected registries deployed on each layer are configured to synchronize the images with the connected registry on the layer above • limitations: • Number of clients for the connected registry is limited to 20 © white duck GmbH 2021
- 23. WHAT’S TO COME ©white duck GmbH 2021
- 24. What’s to come •Project Teleport • Notary v2 © white duck GmbH 2021
- 25. Links • ACR Backlog •https://github.com/Azure/acr/projects/1 • Project Teleport • https://github.com/Azure/acr/blob/main/docs/teleport/aks-getting-started.md • https://stevelasker.blog/2019/10/29/azure-container-registry-teleportation/ • Dan Lorenc – OCI Artifacts explained • https://dlorenc.medium.com/oci-artifacts-explained-8f4a77945c13 • Thorsten Hans – ACR Unleashed Series • https://www.thorsten-hans.com/azure-container-registry-unleashed-acr-up-and- running/#the-acr-unleashed-series © white duck GmbH 2021