Skip to content
TAIP

Products / For AI builders

ImageSphere

Available

An OCI registry with real identity, runtime-mutable policy, and an air-gap story.

ImageSphere is an OCI-native registry that treats access control, identity, and day-2 operations as product features, not afterthoughts. It hosts container images, Helm charts, ML models, and any OCI artifact — with a web UI, group-based admin driven by your IdP, access policies that change at runtime and survive restarts, per-namespace storage quotas with live usage, namespace-scoped robot accounts for CI/CD, immutable tags, Cosign/Notation verification, and per-namespace CVE admission policy built in. Helm charts are first-class — detected and rendered with their values.yaml and README, filterable in a charts-only view. One binary, three deployment modes: Kubernetes, air-gapped via the TAIP release flow, bare metal with systemd.

Specification

Version
v1.5.16 — generally available
Protocol
OCI Distribution Spec · built-in /v2/token service
Modes
Kubernetes · air-gapped · bare-metal systemd
Governance
Runtime-mutable policies · quotas · CVE admission · robot accounts · immutable tags · audit log
Storage
Local · S3 · GCS
Languages
English · 简体中文

Proof, not promises

See it in one block.

No proprietary SDKs, no rewrites — ImageSphere meets your tools where they already are.

standard clients, governed registry
$ docker push registry.intra.example/team-a/app:v1
pushed — within team-a quota (412 GiB / 500 GiB)

$ helm push chart.tgz oci://registry.intra.example/team-a
$ cosign verify registry.intra.example/team-a/app:v1
# policies, quotas, and writer groups edited live in the admin UI

Pure OCI Distribution Spec — docker, helm, and oras work unmodified. The built-in token service means nothing extra to deploy.

Capabilities

What ImageSphere gives you

01

OCI-native, no proprietary protocols

Standard OCI Distribution Spec — Docker, Helm, ORAS, and any compliant client work unmodified. A built-in /v2/token endpoint means no separate token service to deploy. Helm charts are recognized as charts — values, README, and install hints rendered in the UI, not stored as opaque blobs.

02

Identity from your IdP

OIDC SSO with back-channel logout. Admin status follows your IdP groups — promoting an admin is a click in your IdP, not a redeploy. Robot accounts give CI/CD namespace-scoped credentials that outlive any individual.

03

Access control mutable at runtime

Edit namespace policies, groups, writer permissions, quotas, and immutable-tag rules from the admin UI. Changes persist in the metadata store and survive restarts — config file as default, runtime override wins. An append-only audit log, Prometheus metrics, and an in-app bilingual user guide round out day-2 operations.

04

Air-gap as a first-class deployment

Ships through the TAIP air-gap release flow: chart and images pre-staged, OIDC application registration automated. The same single binary also installs on bare metal with systemd, htpasswd, and TLS.

How it works

From push to pull, governed end to end.

  1. Step 01

    Push any OCI artifact

    Container images, Helm charts, ML models, OPA bundles. Standard /v2/ endpoints; built-in token service for `docker login`.

  2. Step 02

    Identity decides who can do what

    OIDC SSO, group-based admin, runtime-mutable namespace policies. Off-board in your IdP and the registry follows.

  3. Step 03

    Pulled, signed, scanned

    Cosign / Notation verification, CVE scanning with per-namespace admission policy, namespace storage quotas — same plumbing on Kubernetes, air-gap, or bare metal.

Who it's for

Built for these teams

  • Internal platform teams building self-service registries
  • Air-gapped, regulated, and edge deployments
  • Anyone who wants Cosign and CVE scanning without a control plane behind it