Docs
Platform
Container Registry

Container Registry

This feature is currently in beta.

While we strive to provide a stable service, we may introduce changes to the service that are not backwards compatible. We will do our best to notify you of any changes that may affect you.

During the beta period, documentation may be incomplete or outdated. Please let us know if you find any issues or have any feedback.

Interested in joining the beta program? Contact us

Overview

Thalassa Cloud Container Registry provides OCI-compatible image storage. You can create one or more namespaces and push/pull container images using standard tooling (Docker, Podman, BuildKit, CI/CD), as well as GitOps tooling such as FluxCd or Argo CD.

Key Capabilities

  • OCI-compatible image storage and distribution
  • Namespaces for organizing images per team, app, or environment
  • Access controlled via IAM roles and access credentials
  • Compatible with service accounts; future support for machine identities

Access and Permissions

Access to a registry namespace is governed by IAM. Grant roles on the containerRegistryNamespace resource with the following permissions:

  • Pull: read images and layers
  • Push: upload new images and tags
  • List: read the manifests index (list repositories, tags)

We recommend assigning permissions to teams via IAM roles. See IAM and Service Accounts.

Credentials

Authenticate using access credentials associated with a user or service account that has the appropriate IAM role on the target namespace.

  • Username/Password: Use access credentials generated in the console or via API
  • Token-based auth: Supported via access credentials
  • Service accounts: Create credentials and scope via IAM roles

Usage

The registry hostname is registry.nl-01.thalassa.cloud. Replace <namespace> with the value shown in the Console for your namespace.

Login 

docker login registry.nl-01.thalassa.cloud
# enter username and password (access credentials)

Tag and Push 

docker tag myapp:1.0 registry.nl-01.thalassa.cloud/<namespace>/myapp:1.0
docker push registry.nl-01.thalassa.cloud/<namespace>/myapp:1.0

Pull 

docker pull registry.nl-01.thalassa.cloud/<namespace>/myapp:1.0

Kubernetes Pulls

Until machine identities are available, configure image pulls using:

  • ImagePullSecrets referencing a registry credential
  • Service accounts bound to namespaces/workloads that require pulls

Future machine identities will simplify pulls for clusters, nodes, and workloads without manual secret management.

Status

This service is currently in beta.

Roadmap

  • CVE scanning
  • SBOM generation and attestation
  • Expanded audit logging
  • Retention and garbage collection policies

Related

NetworkingIdentity & Access Management