Products / For AI builders
ImageSphere
AvailableAn OCI registry with real identity, runtime-mutable policy, and an air-gap story.
ImageSphere is an OCI-native registry that treats access control, identity, and day-2 operations as product features, not afterthoughts. It hosts container images, Helm charts, ML models, and any OCI artifact — with a web UI, group-based admin driven by your IdP, access policies that change at runtime and survive restarts, per-namespace storage quotas with live usage, namespace-scoped robot accounts for CI/CD, immutable tags, Cosign/Notation verification, and per-namespace CVE admission policy built in. Helm charts are first-class — detected and rendered with their values.yaml and README, filterable in a charts-only view. One binary, three deployment modes: Kubernetes, air-gapped via the TAIP release flow, bare metal with systemd.
Specification
- Version
- v1.5.16 — generally available
- Protocol
- OCI Distribution Spec · built-in /v2/token service
- Modes
- Kubernetes · air-gapped · bare-metal systemd
- Governance
- Runtime-mutable policies · quotas · CVE admission · robot accounts · immutable tags · audit log
- Storage
- Local · S3 · GCS
- Languages
- English · 简体中文
Proof, not promises
See it in one block.
No proprietary SDKs, no rewrites — ImageSphere meets your tools where they already are.
$ docker push registry.intra.example/team-a/app:v1
pushed — within team-a quota (412 GiB / 500 GiB)
$ helm push chart.tgz oci://registry.intra.example/team-a
$ cosign verify registry.intra.example/team-a/app:v1
# policies, quotas, and writer groups edited live in the admin UI▌ Pure OCI Distribution Spec — docker, helm, and oras work unmodified. The built-in token service means nothing extra to deploy.
Capabilities
What ImageSphere gives you
OCI-native, no proprietary protocols
Standard OCI Distribution Spec — Docker, Helm, ORAS, and any compliant client work unmodified. A built-in /v2/token endpoint means no separate token service to deploy. Helm charts are recognized as charts — values, README, and install hints rendered in the UI, not stored as opaque blobs.
Identity from your IdP
OIDC SSO with back-channel logout. Admin status follows your IdP groups — promoting an admin is a click in your IdP, not a redeploy. Robot accounts give CI/CD namespace-scoped credentials that outlive any individual.
Access control mutable at runtime
Edit namespace policies, groups, writer permissions, quotas, and immutable-tag rules from the admin UI. Changes persist in the metadata store and survive restarts — config file as default, runtime override wins. An append-only audit log, Prometheus metrics, and an in-app bilingual user guide round out day-2 operations.
Air-gap as a first-class deployment
Ships through the TAIP air-gap release flow: chart and images pre-staged, OIDC application registration automated. The same single binary also installs on bare metal with systemd, htpasswd, and TLS.
How it works
From push to pull, governed end to end.
- Step 01
Push any OCI artifact
Container images, Helm charts, ML models, OPA bundles. Standard /v2/ endpoints; built-in token service for `docker login`.
- Step 02
Identity decides who can do what
OIDC SSO, group-based admin, runtime-mutable namespace policies. Off-board in your IdP and the registry follows.
- Step 03
Pulled, signed, scanned
Cosign / Notation verification, CVE scanning with per-namespace admission policy, namespace storage quotas — same plumbing on Kubernetes, air-gap, or bare metal.
Who it's for
Built for these teams
- Internal platform teams building self-service registries
- Air-gapped, regulated, and edge deployments
- Anyone who wants Cosign and CVE scanning without a control plane behind it
Pairs well with
Other builder products
ConsoleX
AvailableLog in, get a governed Kubernetes workspace. No kubectl, no tickets.
On first SSO login every user gets an isolated namespace with quotas, default-deny networking, storage, and a web terminal — provisioned automatically, reconciled continuously.
Learn moreDevSpace
AvailableJupyter or VS Code on a GPU in seconds. Idle environments shut themselves down.
Single-click Jupyter, Marimo, Streamlit, Gradio, and VS Code environments — GPU-ready, isolated per user behind a per-pod auth proxy, with SSH access and idle shutdown by default.
Learn moreTrainX
AvailableAdmins write the template. Users fill a form. Kubernetes runs the job.
Self-describing training templates render straight into UI forms — with live quota checks, streaming logs, parsed progress bars, and one-click TensorBoard.
Learn more