Access control
Cloudfleet Container Registry (CFCR) uses the same role-based access control as other Cloudfleet services. There is no separate registry-specific permission system to configure.
Roles and permissions
| Role | Push images | Pull images |
|---|---|---|
| Administrator | Yes | Yes |
| User | No | Yes |
Administrators can push and pull images. Users can only pull. When you invite a team member to your organization or create an API token, the role you assign determines their registry permissions.
To manage users in your organization, see User management.
API token permissions
API tokens inherit permissions from the role assigned during creation. Choose the appropriate role based on the token’s purpose:
| Use case | Recommended role |
|---|---|
| CI/CD pipeline that builds and pushes images | Administrator |
| CI/CD pipeline that only deploys (pulls) images | User |
| Backup or audit scripts that read images | User |
| Container scanning tools | User |
Create tokens with the minimum required permissions. A deployment pipeline that only pulls images does not need push access.
To create and manage API tokens, see API tokens.
CFKE cluster access
CFKE clusters authenticate to CFCR automatically and have pull-only access. Clusters cannot push images to the registry. To push images, use the Docker credential helper or API tokens from your CI/CD pipeline.
Organization isolation
Each organization has a completely isolated registry namespace. Users and tokens from one organization cannot access images in another organization’s registry, even if they know the image path.
← Image management