29 mars 202229 mars 2022

ACR | Trusted Azure services

Hi!

Azure Container Registry can allow select trusted Azure services to access a registry that’s configured with network access rules. When trusted services are allowed, a trusted service instance can securely bypass the registry’s network rules and perform operations such as pull or push images.

Trusted service	Supported usage scenarios	Configure managed identity with RBAC role
Azure Container Instances	Deploy to Azure Container Instances from Azure Container Registry using a managed identity	Yes, either system-assigned or user-assigned identity
Microsoft Defender for Cloud	Vulnerability scanning by Microsoft Defender for container registries	No
ACR Tasks	Access the parent registry or a different registry from an ACR Task	Yes
Machine Learning	Deploy or train a model in a Machine Learning workspace using a custom Docker container image	Yes
Azure Container Registry	Import images to or from a network-restricted Azure container registry	No

To enable:

az acr update --name myregistry --allow-trusted-services true

To disable:

az acr update --name myregistry --allow-trusted-services false

Maxime.

29 mars 202229 mars 2022

ACR | Lock container images

Hi!

In this article I will show you how you can lock a container image or a repository (so that it can’t be deleted or updated) hosted in Azure Container Registry (ACR).

By default, a tagged image in Azure Container Registry is mutable, so with appropriate permissions you can repeatedly update and push an image with the same tag to a registry. Container images can also be deleted as needed. This behavior is useful when you develop images and need to maintain a size for your registry.

However, when you deploy a container image to production, you might need an immutable container image. An immutable image is one that you can’t accidentally delete or overwrite.

Show the current repository attributes
az acr repository show \
    --name myregistry --repository myrepo \
    --output jsonc


Show the current image attributes
az acr repository show \
    --name myregistry --image myimage:tag \
    --output jsonc

Lock an image by tag
az acr repository update \
    --name myregistry --image myimage:tag \
    --write-enabled false

Lock an image by manifest digest
az acr repository update \
    --name myregistry --image myimage@sha256:123456abcdefg \
    --write-enabled false

Lock a repository
az acr repository update \
    --name myregistry --repository myrepo \
    --write-enabled false

Protect an image from deletion
az acr repository update \
    --name myregistry --repository myrepo \
    --delete-enabled false --write-enabled true

Prevent read (pull) operations on an image or repository
az acr repository update \
    --name myregistry --image myimage:tag \
    --read-enabled false

az acr repository update \
    --name myregistry --repository myrepo \
    --read-enabled false

Unlock an image or repository
az acr repository update \
    --name myregistry --image myimage:tag \
    --delete-enabled true --write-enabled true

az acr repository update \
    --name myregistry --repository myrepo \
    --delete-enabled true --write-enabled true

Maxime.

17 mars 202217 mars 2022

ACR | Retention policy for untagged manifests

Hi!

Azure Container Registry gives you the option to set a retention policy for stored image manifests that don’t have any associated tags (untagged manifests). When a retention policy is enabled, untagged manifests in the registry are automatically deleted after a number of days you set.

The following example sets a retention policy of 30 days for untagged manifests in the registry zigmax:

az acr config retention update --registry zigmax --status enabled --days 30 --type UntaggedManifests

You can also define the retention policy for un tagged manifests in the Azure Portal:

Maxime.