Products / For AI builders

ImageSphere

Available

OCI registry with first-class identity, access, and ops

ImageSphere is an OCI-native registry that treats access control, identity, and day-2 operations as product features, not afterthoughts. It hosts container images, Helm charts, ML models, OPA bundles, and any other OCI artifact — with a modern web UI, group-based admin from your IdP, runtime-editable access policies, per-namespace storage quotas, and air-gap packaging out of the box.

All products

Protocol: OCI Distribution Spec
Storage: Local · S3 · GCS
Modes: Kubernetes · air-gap · bare-metal

Capabilities

What ImageSphere gives you

OCI-native, no proprietary protocols

Standard OCI Distribution Spec — Docker, Helm, ORAS, and any compliant client work unmodified. A built-in /v2/token endpoint means no separate token service to deploy.

Identity from your IdP

OIDC SSO with avatar pipeline, RP-initiated logout, and back-channel logout. Admin status follows your IdP groups — promoting an admin is a click in Authentik, not a redeploy.

Access control mutable at runtime

Edit namespace policies, groups, and writer permissions from the admin UI. Changes persist in the metadata store and survive pod restarts. ConfigMap is the default; the override wins.

Air-gap as a first-class deployment

Helm chart, image archives, and OIDC application templates ship together. Single-command install on a fresh disconnected node — alongside Kubernetes, K3s, and bare-metal modes.

How it works

From push to pull, governed end to end.

Step 01

Push any OCI artifact

Container images, Helm charts, ML models, OPA bundles. Standard /v2/ endpoints; built-in token service for `docker login`.
Step 02

Identity decides who can do what

OIDC SSO, group-based admin, runtime-mutable namespace policies. Off-board in your IdP and the registry follows.
Step 03

Pulled, signed, scanned

Cosign / Notation verification, CVE scanning, namespace storage quotas — same plumbing on Kubernetes, air-gap, or bare metal.