IBM Cloud Container Registry is adopting new domain names to align with the rebranding of IBM Cloud for a better user experience.
You also now have the ability to use IAM policies for more control over access to your registry resources. The new domain names are shown by location in the following table:
The new domain names are available in the console and the CLI beginning February 25, 2019. You can use the new icr.io domain names now. The existing bluemix.net domain names are deprecated, but you can continue to use them for the time being, as an unsupported date will be announced later.
How does this affect my containers that run images from IBM Cloud Container Registry?
To pull Container Registry images for your deployments in IBM Cloud Kubernetes Service clusters, your clusters must be authorized to pull from the domain name that the image uses:
Existing clusters have pull secrets that use a registry token to authorize access to images from the bluemix.net domain name for the global registry and the regional registry from the region that the cluster is in. To pull images from the new icr.io domain name, you must take action.
New clusters have pull secrets for both registry token access to bluemix.net domains as well as IAM API keys for access to icr.io domains. By default, you can pull images from the new icr.io domain in any registry region.
What benefits do I get from this new method of using an API key to authorize pulling images from the registry?
Because the new icr.io domains are authorized by using an IAM API key, you can add IAM policies if you want more control over access. For example, you can change the API key policies in the cluster’s pull secret to pull images from only a certain registry region or namespace.