Introduction to MSR¶
Mirantis Secure Registry (MSR) is Mirantis’s enterprise-grade image storage solution. Installed behind the firewall, either on-premises or on a virtual private cloud, MSR provides a secure environment from which users can store and manage Docker images. And starting with MSR 3.0.0, MSR can run alongside your other apps in any standard Kubernetes 1.20 and above distribution, simply though the use of standard Helm techniques. As a result, the MSR user has far greater flexibility as many resources are administered by the orchestrator rather than the registry itself. And while MKE 3.0.0 is not integrated with Mirantis Kubernetes Engine (MKE), as it was with previous versions, it runs just as well on MKE as on any supported Kubernetes distribution.
Image and job management
MSR has a web-based user interface that you can use to browse images and audit repository events. With the UI, you can see which Dockerfile lines produced an image and, if security scanning is enabled, a list of all of the software installed in that image. You can also audit jobs with the web interface.
MSR can serve as a Continuous Integration and Continuous Delivery (CI/CD) component, in the building, shipping, and running of applications.
MSR is highly available through the use of multiple replicas of all containers and metadata. As such, MSR will continue to operate in the event of machine failure, thus allowing for repair.
MSR is able to reduce the bandwidth used when pulling Docker images by caching images closer to users. In addition, MSR can clean up unreferenced manifests and layers.
Built-in access control
As with Mirantis Kubernetes Engine (MKE), MSR uses Role Based Access Control (RBAC), which allows you to manage image access, either manually, with LDAP, or with Active Directory.
A security scanner is built into MSR, which can be used to discover the versions of the software that is in use in your images. This tool scans each layer and aggregates the results, offering a complete picture of what is being shipped as a part of your stack. Most importantly, as the security scanner is kept up-to-date by tapping into a periodically updated vulnerability database, it is able to provide unprecedented insight into your exposure to known security threats.
MSR ships with Notary, which allows you to sign and verify images using Docker Content Trust. For more information on managing Notary data in MSR, refer to the Using Notary to sign an image.