Container Registry está obsoleto. A partir del 18 de marzo del 2025, Container Registry se retirará y no se podrán escribir imágenes en él. Para obtener más información sobre la retirada de Container Registry y cómo migrar a Artifact Registry, consulta el artículo Retirada de Container Registry.
Si tienes requisitos de cumplimiento o normativos, puedes encriptar tus imágenes de contenedor con claves de encriptado gestionadas por el cliente (CMEK). Las claves CMEK se gestionan en Cloud Key Management Service. Cuando usas CMEK, puedes inhabilitar temporal o permanentemente el acceso a una imagen de contenedor cifrada inhabilitando o destruyendo la clave.
Si la API de Cloud Storage está en la lista de políticas de Deny de la restricción constraints/gcp.restrictNonCmekServices, no podrás enviar imágenes a Container Registry. Container Registry no usa CMEK para crear segmentos de almacenamiento cuando se envía la primera imagen a un host, y no puedes crear los segmentos de almacenamiento manualmente.
Si necesitas aplicar esta restricción de la política de la organización, considera la posibilidad de alojar tus imágenes en Artifact Registry. Puedes crear manualmente repositorios en Artifact Registry que admitan solicitudes al dominio gcr.io para seguir usando tus flujos de trabajo de imágenes de contenedor. Para obtener más información, consulta Migrar a repositorios compatibles con el dominio gcr.io.
Cuando se configura constraints/gcp.restrictCmekCryptoKeyProjects, los contenedores de almacenamiento deben cifrarse con una CryptoKey de un proyecto, una carpeta o una organización permitidos. Los nuevos contenedores usarán la clave configurada, pero los contenedores que no cumplan los requisitos deberán configurarse para usar la clave obligatoria de forma predeterminada.
Para obtener más información sobre cómo se aplican las restricciones a los segmentos de Cloud Storage, consulta la documentación de Cloud Storage sobre las restricciones.
Restricciones de los temas de Pub/Sub
Cuando activas la API Container Registry en unGoogle Cloud proyecto, Container Registry intenta crear automáticamente un tema de Pub/Sub con el ID de tema gcr mediante claves de cifrado gestionadas por Google.
Cuando la API Pub/Sub se encuentra en la lista de políticas Deny de la restricción constraints/gcp.restrictNonCmekServices, los temas deben cifrarse con CMEK. No se podrán crear temas sin encriptado CMEK.
Container Registry no está integrado directamente con Cloud KMS.
En su lugar, se considera compatible con CMEK cuando almacenas tus imágenes de contenedor en segmentos de almacenamiento configurados para usar CMEK.
[[["Es fácil de entender","easyToUnderstand","thumb-up"],["Me ofreció una solución al problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Es difícil de entender","hardToUnderstand","thumb-down"],["La información o el código de muestra no son correctos","incorrectInformationOrSampleCode","thumb-down"],["Me faltan las muestras o la información que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-08-21 (UTC)."],[[["\u003cp\u003eContainer Registry uses Cloud Storage to store container images, and Cloud Storage encrypts data server-side by default.\u003c/p\u003e\n"],["\u003cp\u003eFor compliance, customer-managed encryption keys (CMEK) can be used to encrypt container images stored in Container Registry, allowing control over access by disabling or destroying the key.\u003c/p\u003e\n"],["\u003cp\u003eOrganization policy constraints, particularly those related to Cloud Storage and Pub/Sub APIs, can affect Container Registry usage, such as preventing image pushes or requiring CMEK for new storage buckets and Pub/Sub topics.\u003c/p\u003e\n"],["\u003cp\u003eIf \u003ccode\u003econstraints/gcp.restrictNonCmekServices\u003c/code\u003e is enforced, you cannot push images to Container Registry, and Artifact Registry is recommended as an alternative.\u003c/p\u003e\n"],["\u003cp\u003eContainer Registry can use CMEK by leveraging storage buckets configured with CMEK in Cloud Storage; however, this is impossible if \u003ccode\u003econstraints/gcp.restrictNonCmekServices\u003c/code\u003e is being used.\u003c/p\u003e\n"]]],[],null,["# Using customer-managed encryption keys\n\nContainer Registry stores container images in Cloud Storage. Cloud Storage\nalways [encrypts your data on the server side](/storage/docs/encryption/default-keys).\n\nIf you have compliance or regulatory requirements, you can encrypt your container\nimages using [customer-managed encryption keys (CMEK)](/kms/docs/cmek). CMEK keys\nare managed in Cloud Key Management Service. When you use CMEK, you can temporarily or\npermanently disable access to an encrypted container image by disabling or\ndestroying the key.\n\nOrganization policy constraints\n-------------------------------\n\n[Organization policy constraints](/resource-manager/docs/organization-policy/org-policy-constraints) can affect usage of\nContainer Registry when they apply to services that Container Registry\nuses.\n\n### Constraints for storage buckets\n\n- When the Cloud Storage API is in the `Deny` policy list for the\n constraint `constraints/gcp.restrictNonCmekServices`, you cannot push images\n to Container Registry. Container Registry does not use CMEK to create\n storage buckets when the first image is pushed to a host, and you cannot\n create the storage buckets manually.\n\n If you need to enforce this organization policy constraint, consider\n hosting your images in Artifact Registry instead. You can manually create\n repositories in Artifact Registry that support requests to the `gcr.io` domain\n so that you can continue to use your existing container image workflows. For\n details, see\n [Transition to repositories with gcr.io domain support](/artifact-registry/docs/transition/setup-gcr-repo#analysis).\n- When `constraints/gcp.restrictCmekCryptoKeyProjects` is configured,\n storage buckets must be encrypted with a CryptoKey from an allowed project,\n folder, or organization. New buckets will use the configured key, but existing\n buckets that are not compliant must be configured to use the required key by\n default.\n\nFor more information about how constraints apply to Cloud Storage buckets,\nsee the [Cloud Storage documentation](/storage/docs/org-policy-constraints) about constraints.\n\n### Constraints for Pub/Sub topics\n\nWhen you activate the Container Registry API in a\nGoogle Cloud project, Container Registry tries to automatically create a\nPub/Sub topic with the topic ID `gcr` using Google-managed\nencryption keys.\n\nWhen the Pub/Sub API is in the `Deny` policy list for the\nconstraint `constraints/gcp.restrictNonCmekServices`, topics must be encrypted\nwith CMEK. Requests to create a topic without CMEK encryption will fail.\n\nTo create the `gcr` topic with CMEK encryption, see the Pub/Sub\n[instructions for encrypting topics](/pubsub/docs/encryption#using-cmek).\n\nConfiguring buckets to use CMEK\n-------------------------------\n\nContainer Registry is not directly integrated with Cloud KMS.\nInstead, it is [CMEK-compliant](/kms/docs/cmek#cmek_compliance) when you store\nyour container images in storage buckets\n[configured to use CMEK](/storage/docs/encryption/customer-managed-keys).\n| **Note:** When the Cloud Storage API is in the `Deny` policy list for the organization policy constraint [constraints/gcp.restrictNonCmekServices](#org-policy-storage), you cannot create and configure CMEK on Container Registry buckets.\n\n1. If you have not done so,\n [push an image to Container Registry](/container-registry/docs/pushing-and-pulling).\n The storage bucket does not use a CMEK key yet.\n\n2. In Cloud Storage,\n [configure the storage bucket](/storage/docs/encryption/using-customer-managed-keys)\n to use the CMEK key.\n\nThe bucket name for a registry host\nhas one of the following formats:\n\n- `artifacts.`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`.appspot.com` for images stored on the host `gcr.io`\n- \u003cvar translate=\"no\"\u003eSTORAGE-REGION\u003c/var\u003e`.artifacts.`\u003cvar translate=\"no\"\u003ePROJECT-ID\u003c/var\u003e`.appspot.com` for images stored on `asia.gcr.io`, `eu.gcr.io`, or `us.gcr.io`.\n\nWhat's next?\n------------\n\n- Learn more about [managing Container Registry images](/container-registry/docs/managing).\n- Learn more about [CMEK](/kms/docs/cmek)\n- Learn more about [Cloud Storage](/storage/docs)"]]