Monitor Image Access and Detect Security Events - Container Registry

Unexpected image pulls from unknown public IP addresses and unauthorized delete operations are hard to detect without an audit trail. The image event analysis feature in Container Registry Enterprise Edition records every push, pull, and delete event in a chronological event line, so you can identify suspicious activity such as abnormal public IP addresses and image content risks, and review the deployment status of images across Container Service for Kubernetes (ACK) clusters.

Prerequisites

Before you begin, ensure that you have:

Submitted a ticket to enable the image event feature. Submit a ticket
A Container Registry Enterprise Edition instance. For more information, see Create a Container Registry Enterprise Edition instance
An image pushed to the instance. For more information, see Use a Container Registry Enterprise Edition instance to push and pull images

View the image event line

The event line shows a chronological record of push, pull, and delete operations for a specific image. Use it to detect unauthorized access or suspicious activity.

Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance that you want to manage.

In the left-side navigation pane of the instance management, choose Instances > Image Analysis. On the Image Analysis page, set the following parameters to find the image.

Parameter	Description	Example
Namespace	The namespace that contains the image	test-namespace
Repository	The repository that contains the image	test-repository
Tag	The image tag	v1

In the Event line section, set the filter conditions and time range, then click Search. The results show each event's details in the following fields. The Event Summary field provides a summary of the image event information within the selected time range.

Parameter	Description
Event Filters	The event types to include: `Push`, `Pull`, or `Delete`
Time range	The period to search. Maximum: 30 days

Field	Description
Event category	The type of operation: Push, Pull, or Delete
Client network type	Whether the client accessed the image from a private or public network
Client public IP address	The public IP address of the client. Use this field to detect access from unexpected sources
Event time	The timestamp of the operation

Analyze image usage in ACK clusters

To view the deployment status of an image across ACK clusters, you must first authorize Container Registry to read cluster information. Without this authorization, Container Registry cannot collect usage data.

On the Image Events page, click Complete authorization to obtain and analyze the usage of images in ACK clusters.
In the Cluster Authorization dialog box, find an ACK cluster and click Add authorization in the Actions column. In the confirmation message, click OK.
After authorization is complete, go to the Image Analysis tab and click Search to view the deployment status of the image.