Container Registry namespace configuration
Each namespace can have a configuration that controls access behaviour and lifecycle rules. Configuration is optional — until it exists, namespaces behave as private.
Visibility
| Setting | Behaviour |
|---|---|
private | Pull requires authentication |
public | Anonymous pull allowed for repositories in this namespace |
Create namespace configuration to set visibility. Changing visibility does not move existing images — it only changes who may pull without credentials.
When to use public visibility
Public namespaces suit images you want to distribute without credentials — for example open-source tooling or base images shared across teams. Keep production application images in private namespaces and use authenticated pull everywhere possible.
Retention policies
Retention policies automatically delete old tags and artifacts to control storage growth. Configure one or more rules per namespace.
Rule fields
| Rule field | Description |
|---|---|
days | Delete tags older than N days (by tag creation time) |
days_since_created | Keep artifacts pushed within the last N days |
days_since_pulled | Keep artifacts pulled within the last N days |
count | Keep only the N most recent matching tags |
repository_patterns | Limit rule to repositories (wildcards supported, e.g. api-*, */cache) |
tag_patterns | Limit rule to tags (wildcards supported, e.g. v*, *-dev) |
delete_untagged_images | Also remove artifacts that no longer have any tag |
At least one retention criterion (days, days_since_created, days_since_pulled, or count) is required per rule.
Example scenarios
| Scenario | Suggested rule |
|---|---|
| Keep last 10 release tags | count: 10 with tag_patterns: ["v*"] |
| Prune dev builds after 7 days | days: 7 with tag_patterns: ["*-dev"] |
| Remove unused cache images | days_since_pulled: 30 with repository_patterns: ["*/cache"] |
| Clean up untagged layers | delete_untagged_images: true on any rule |
Scheduling
Retention policies run automatically on a schedule (approximately hourly). You can also trigger an immediate run via the API:
POST …/retention-policy/runUse an immediate run after configuring a new policy to apply cleanup without waiting for the next scheduled cycle.
Permissions
Creating and updating namespace configuration requires permissions on the container_registry_namespace_configuration IAM resource. See Access control for policy details.
Related documentation
- Billing — How retention reduces storage charges
- Repositories — Manual delete operations
- Limits and behaviour — Retention scheduling and defaults