Hi!

In this article I will show you how you can lock a container image or a repository (so that it can’t be deleted or updated) hosted in Azure Container Registry (ACR).

By default, a tagged image in Azure Container Registry is mutable, so with appropriate permissions you can repeatedly update and push an image with the same tag to a registry. Container images can also be deleted as needed. This behavior is useful when you develop images and need to maintain a size for your registry.

However, when you deploy a container image to production, you might need an immutable container image. An immutable image is one that you can’t accidentally delete or overwrite.

Show the current repository attributes
az acr repository show \
    --name myregistry --repository myrepo \
    --output jsonc


Show the current image attributes
az acr repository show \
    --name myregistry --image myimage:tag \
    --output jsonc

Lock an image by tag
az acr repository update \
    --name myregistry --image myimage:tag \
    --write-enabled false

Lock an image by manifest digest
az acr repository update \
    --name myregistry --image myimage@sha256:123456abcdefg \
    --write-enabled false

Lock a repository
az acr repository update \
    --name myregistry --repository myrepo \
    --write-enabled false

Protect an image from deletion
az acr repository update \
    --name myregistry --repository myrepo \
    --delete-enabled false --write-enabled true

Prevent read (pull) operations on an image or repository
az acr repository update \
    --name myregistry --image myimage:tag \
    --read-enabled false

az acr repository update \
    --name myregistry --repository myrepo \
    --read-enabled false

Unlock an image or repository
az acr repository update \
    --name myregistry --image myimage:tag \
    --delete-enabled true --write-enabled true

az acr repository update \
    --name myregistry --repository myrepo \
    --delete-enabled true --write-enabled true

Maxime.