You can use trusted profiles to grant different IBM Cloud identities access to IBM Cloud Container Registry resources in your account. Automatically grant federated users access to your account with conditions based on SAML attributes from your corporate directory.

For more information, see Accessing Container Registry by using trusted profiles.

To ensure continued worldwide performance for global registry (icr.io) in IBM Cloud® Container Registry, a content delivery network (CDN) is being enabled that means that you might have to adjust your firewall settings. If you need to adjust your firewall settings, you must adjust them by 4 September 2024.

For more information, see Important firewall changes from 4 September 2024 for users that pull IBM Cloud Container Registry images from global (icr.io).

Vulnerability Advisor version 3 is discontinued.

For more information about how to update to Vulnerability Advisor version 4, see Vulnerability Advisor version 3 is being discontinued on 13 November 2023.

Vulnerability Advisor version 3 is being discontinued on 13 November 2023. If you have version 3 set as the default, you must update to Vulnerability Advisor version 4 by 13 November 2023. If you are already using version 4, no action is required.

For more information about how to update to version 4, see Vulnerability Advisor version 3 is being discontinued on 13 November 2023.

The following IBM Cloud Container Registry commands now have an output option for JSON format:

• ibmcloud cr exemption-add
• ibmcloud cr exemption-list
• ibmcloud cr exemption-types
• ibmcloud cr image-list
• ibmcloud cr namespace-list
• ibmcloud cr plan
• ibmcloud cr quota
• ibmcloud cr retention-policy-list

For more information about the IBM Cloud Container Registry commands, see IBM Cloud Container Registry CLI

The --json option is replaced with the --output json option in the following commands:

• ibmcloud cr image-digests
• ibmcloud cr image-prune-untagged
• ibmcloud cr image-retention-run
• ibmcloud cr trash-list

For more information about the IBM Cloud Container Registry commands, see IBM Cloud Container Registry CLI

The Vulnerability Advisor component of IBM Cloud® Container Registry is being updated.

Vulnerability Advisor version 3 is being deprecated as the default on 19 June 2023. From 19 June 2023, the default will be Vulnerability Advisor version 4. If you have version 3 set as the default, you can continue to use version 3 until the end of support date. An end of support date is not available yet.

For more information, see Update Vulnerability Advisor to version 4 by 19 June 2023.

Virtual private endpoints are changing.

On 11 November 2022, virtual private endpoints (VPEs) for IBM Cloud Container Registry are being updated and the existing VPE version is being deprecated on 15 December 2022. If you use Container Registry VPE gateways, you must create new VPE gateways and remove your VPE gateways that were created before 11 November 2022 at the earliest opportunity so that you pick up these changes. VPE gateways that were created before 11 November 2022 are deprecated and will not work after 15 December 2022.

If you create a new Container Registry VPE gateway after 11 November 2022 and also use Cloud Identity and Access Management (IAM) restricted IP address lists, you must ensure that your restricted IP address list contains the Cloud Service Endpoint (CSE) source IP addresses of the VPCs in which your Container Registry VPE gateways exist. This requirement is related to a previous change to how Container Registry works over the private network that the new VPE version also uses, see Container Registry private IP addresses changed on 5 July 2022.

For more information, see Changes to Container Registry VPE gateways from 11 November 2022.

The IBM Cloud Container Registry private IP addresses that were replaced on 5 July 2022 are being decommissioned on 15 December 2022.

IP addresses for accessing Container Registry over the private network changed on 5 July 2022, see Container Registry private IP addresses changed on 5 July 2022. You continue to be able to use these old IP addresses, but they are due to be decommissioned on 15 December 2022. After this date, you will not be able to access Container Registry by using these IP addresses.

For more information, see Changes to private IP addresses from 15 December 2022.

A new version, version 1.0.0, of the Container Registry CLI plug-in is available. To update the version of your Container Registry CLI plug-in, see Updating the container-registry CLI plug-in.

Version 1.0.0 includes Vulnerability Advisor 4.

In version 1.0.0, the ibmcloud cr image-list and ibmcloud cr image-digests commands no longer include security status by default. To include security status, you can either add the --va option to the command, or use the ibmcloud cr va command to query the security status for an individual image.

For more information, see Container Registry CLI stops returning security status results in lists by default from version 1.0.0.

All releases of version 0.1 of the Container Registry CLI plug-in are deprecated. You can continue to use releases of version 0.1, but version 1.0.0 is available for you to use. Version 0.1 will continue to be updated with any required updates until 15 September 2023. To update the version of your CLI plug-in, see Updating the container-registry CLI plug-in.

From Container Registry plug-in 1.0.0, you can choose whether to use Vulnerability Advisor version 3 or version 4 to run your commands. Vulnerability Advisor 4 is available from version 1.0.0 of the Container Registry plug-in. Vulnerability Advisor 3 is the default.

If you want to continue to use version 3, you don't need to do anything.

If you want to use version 4 to run the ibmcloud cr va, ibmcloud cr image-list, or ibmcloud cr image-digests commands, see Setting the version of Vulnerability Advisor.

For more information about Vulnerability Advisor, see About Vulnerability Advisor. For more information about Vulnerability Advisor API 4, see Vulnerability Advisor 4 for IBM Cloud Container Registry.

From Container Registry plug-in 1.0.0, you can use new commands to check and set Vulnerability Advisor versions.

If you want to continue to use version 3, you don't need to do anything.

If you want to use version 4, you can set the version by running the ibmcloud cr va-version-set command.

For more information about setting the version by using the ibmcloud cr va-version-set command, see ibmcloud cr va-version-set and Setting the version of Vulnerability Advisor.

To find out which version of Vulnerability Advisor that you're running, see ibmcloud cr va-version.

From IBM Cloud Container Registry CLI plug-in version 1.0.0, when you use the ibmcloud cr image-list and ibmcloud cr image-digests commands to list images, they return Vulnerability Advisor security status results only if you use the --va option.

If you want to continue to receive security status with your lists, prepare to upgrade by adding the new --va option to your commands.

For more information, see Container Registry CLI stops returning security status results in lists by default from version 1.0.0.

You can use context-based restrictions to define and enforce access restrictions for IBM Cloud resources based on the network location of access requests.

For more information, see Protecting Container Registry resources with context-based restrictions.

If you're using Cloud Identity and Access Management (IAM) restricted IP address lists and you are connecting to Container Registry over the private network, your lists of allowed IP addresses must now include the private subnet and IP addresses of your own hosts. The IBM Cloud Container Registry private IP addressees also changed. This change also affects you if you have allowlists or a firewall rule.

For more information, see Container Registry private IP addresses changed on 5 July 2022 and Using IAM IP address access restrictions.

To access IBM Cloud Container Registry, you must be using Cloud Identity and Access Management (IAM) access policies. You must ensure that you are using IAM access policies to manage access to the Container Registry service.

Policy-free authorization is discontinued in the following Container Registry regions:

• au-syd
• eu-de
• eu-gb
• jp-tok
• us-south

For more information about mapping the region name to the domain, see Local regions.

Other regions are unaffected because they already require IAM access policies for all accounts.

For more information, see IAM access policies are required from 5 July 2022 and Defining IAM access policies.

If you're using Cloud Identity and Access Management (IAM) restricted IP address lists and you're connecting to Container Registry over the private network in the br-sao and ca-tor regions, your lists of allowed IP addresses must now include the private subnet and IP addresses of your own hosts. The IBM Cloud Container Registry private IP addressees also changed. This change also affects you if you have allowlists or a firewall rule. Other regions are not affected yet.

For more information, see Container Registry private IP addresses changed on 5 July 2022 and Using IAM IP address access restrictions.

By 23 June 2022, if you're using Cloud Identity and Access Management (IAM) restricted IP address lists and you're connecting to Container Registry over the private network, you must update your lists of allowed IP addresses to include the private subnet and IP addresses of your own hosts. The IBM Cloud Container Registry private IP addressees are also changing, which might require updates to your firewall configuration.

For more information, see Container Registry private IP addresses changed on 5 July 2022.

From 5 July 2022, to access IBM Cloud Container Registry, you must be using Cloud Identity and Access Management (IAM) access policies. If you started to use Container Registry before the availability of IAM API key policies in Container Registry in February 2019, you must now ensure that you're using IAM access policies to manage access to the Container Registry service.

Policy-free authorization will be discontinued in the following Container Registry regions:

• au-syd
• eu-de
• eu-gb
• jp-tok
• us-south

For more information about mapping the region name to the domain, see Local regions.

Other regions are unaffected because they already require IAM access policies for all accounts.

For more information, see IAM access policies are required from 5 July 2022 and Defining IAM access policies.

From 2 February 2022, all regions require separate exemption policy management. Exemption policies are used to exclude any matching vulnerabilities or configuration issues from Vulnerability Advisor reports. You can set an exemption policy by running the ibmcloud cr exemption-add command, see Setting organizational exemption policies.

For more information, see Container Registry is ending exemption synchronization across regions on 31 January 2022.

From 1 February 2022, IBM Cloud Container Registry is charging for the storage that is used by untagged images. To reduce the amount that you're charged, you can clean up your namespaces by deleting untagged images. You can also free up used storage and change service plans or quota limits to stay within given quota limits.

For more information, see Container Registry to bill for storage used by untagged images from 1 February 2022.

You can view the activity tracker auditing events for Red Hat Signing operations.

For more information, see Auditing events for Container Registry.

IBM Cloud Container Registry is available as a service in IBM Cloud. Container Registry provides a multi-tenant private image registry that you can use to store and share your container images with users in your IBM Cloud account.

For more information about how to use Container Registry, see Getting started with Container Registry.