Why self-hosting your container registry makes sense, especially now
By Noa
onBy Noa Omer, Cloud Engineer at Cyso Cloud
Earlier this year, we moved our source control from GitHub to Gitea. One of the factors that made this process easier was that our container registry was independent of our source control provider. Because our registry was self-hosted, switching out GitHub had little to no downstream impact on how images were stored, pulled, scanned or distributed. That decoupling matters more than ever if you want to reduce reliance on American software, foreign services, or simply want to avoid vendor lock-in.
Now is a good time to review why self-hosting a container registry makes sense: increasing demand for internal image workflows, stronger security standards, more stringent audits, and the need to keep your internal platforms resilient and under your own control.
Why Run Your Own Registry?
Before digging into the options and considerations, why do this in the first place?
Below are common motivation points, the weight of these is dependent on your organisation and/or use case:
Internal Images
Many base images, build artefacts, and production images are proprietary. Keeping them off public registries reduces external exposure risk.SBOM Generation & Security Scanning
You want to know exactly what’s in your images. Automatic vulnerability scans, generation of software bills of materials (SBOM), and enforcing policies around image content are much easier when the registry is under your control.Compliance and Security
Fine-grained RBAC (role-based access control), integration with enterprise IAM (e.g. LDAP, AD, etc.), audit logs and general observability of your registry... These are often missing or limited in hosted solutions unless you pay a premium.Replication & Fail-over
Having your own registry gives you full control over where images are stored, replicated, and backed up. You can deploy replicas close to your compute environments, and set up failovers in case of region or provider outage.Platform Independence & Vendor Lock-In Avoidance
When the place you store container images is not bound to a platform: you can move it, replicate it, or redeploy it elsewhere. Your CI/CD, image pull policies, and internal tooling are not tied to a specific cloud provider or vendor ecosystem. Does this require planning and testing? Yes, but these aren’t complicated pieces of software and you’re very unlikely to run into issues with the underlying hardware or Kubernetes platform.
If these pain points or wanted features are familiar and are lacking in your current use of Docker Hub or GitHub/GitLab registries, then you’re likely to benefit from self-hosting. We’re going to dig into two options below.
Software Options: Harbor vs Docker Registry
There are two leading open source/self-hosted options that aren’t freemium: Harbor and Docker Registry.
Do keep in mind that Docker Hub and Docker Registry are two different things; the latter is based on the CNCF ‘Distribution’ project and is open source.
Below is a quick overview of these two options, and there are more comprehensive write-ups on this topic.
I’ve made a table mapping features (on usability, integration, compliance, ease of use fronts) below:
Feature | Docker Registry | Harbor |
Basic push / pull of container images | Yes (core function) | Yes |
Role-based access control / Projects / Namespaces | Limited; some basic configuration, but fewer built-in features | Richer RBAC, per-project control, integration with LDAP/AD etc |
Vulnerability scanning & SBOM generation | Not in core; must be added via external tools or scripts | Built-in scanning (e.g. Clair, Trivy), scheduled scans, and SBOM-capable features |
Image signing / Trust policies | Mostly external; not built in core registry | Supported (signing / content trust / policies) in Harbor |
Replication between registries / push & pull / multi-region | Minimal in core; you’ll have to build your logic or orchestration for many cases | Fully supported: push and pull replication, between Harbor instances and non-Harbor registries. Can automate via rules |
Audit logs / metrics / monitoring | Depends on tooling you add; not as full featured by default | Stronger audit logging, monitoring, metrics, UI + API support for status / health etc |
Helm chart / OCI artifact support beyond container images | Containers only in core registry; chart support external | Harbor supports Helm charts and other OCI artifacts, in addition to container images |
Integration with enterprise IAM / LDAP / OIDC | Must configure manually; less baked in | Better built-in support in Harbor for enterprise identity sources |
Ease of setup & simplicity | Very simple: minimal dependencies, easy to deploy for basic usage | More components (database, object storage, optional signing, etc.), more complex but richer capability |
(One small point - these are static container image registries, which are the only ones available at the moment. Cyso Cloud was at CDS 2025 in Hamburg and an interesting development in the container registry space is the movement towards more dynamic registries. Ones that combine together different image layers based on what is requested. An example given by Alvaro Hernandez at CDS was a dynamic registry that dynamically put together PostgreSQL images with your own choice of extensions and versions based on the pull command given to the registry. Slide Deck (not from CDS but same topic/author)
Once you’ve made a choice, the follow-up is the question: how to run it and where? We’ll cover that down below.
Deployment Model vs Placement
When thinking about where and how to host a registry, it helps to separate the deployment model from placement. The deployment model describes how you operate the service: some teams start simple by running the registry as a standalone container or virtual machine, perhaps backed by local storage. Others embed it into their Kubernetes clusters, using Helm charts or operators to handle lifecycle and scaling. More advanced setups treat the registry as part of a managed internal platform, complete with monitoring, policies, and quotas. And in environments with global users or strict uptime needs, registries are often distributed across multiple sites, with replication and failover strategies baked in. This depends on the software you choose (be it Harbor, Docker Registry or one of the other myriad of options) and your needs.
Placement determines where the registry physically runs. At one end of the spectrum is your own infrastructure, in a colocation rack or in your own server rack, where you carry the full operational responsibility and have to develop on top of it.
A step up from that is running on your own private cloud, for example, an OpenStack, VMWare or CloudStack environment that you manage across one or multiple sites. Again, full operational responsibility, but these cloud platform layers provide a degree of flexibility (i.e. for migrating it as an outsource measure) and features. CAPEX intensive at first though.
Beyond that are sovereign or regional providers, many of them also based on OpenStack, such as our Cyso Cloud in the Netherlands, which combines cloud convenience with local jurisdiction and open standards. Finally, there are the global hyperscalers: AWS, Google Cloud, Azure and a few others, whose reach and tooling are unmatched. Beware that these ecosystems create lock-in, high egress costs, and compliance considerations and are where geopolitical considerations can be an important factor. All of these options are more OPEX intensive in return for much smaller entry costs.
Do keep in mind that hyperscalers like to get their consumers locked in before jacking up the price, as seen with Google Cloud’s egress costs for object storage. Even closed-source self-hosted options can be problematic, as seen in the increased licensing costs from Broadcom's acquisition of VMware. Lift and shift shouldn’t be one-way. Being agile with the components that make up your platform keeps costs down over the long run and lowers the risk that your platform (or part of it) is the victim of rising per-core licenses or geopolitical decision-making.
Conclusion
Self-hosting your container registry is not boiled down to a technical preference, it is a safeguard. By decoupling your registry from source control, you give yourself the freedom to move platforms when needed, as we experienced moving from GitHub to Gitea. By choosing open-source options like Harbor or the simpler Docker Registry, you avoid the hidden strings of freemium licensing and can be certain you won’t have features taken away from you.
The decision of how and where to deploy matters just as much. Whether you run it bare on your own servers in containers, in your own Kubernetes deployment, or on a managed platform, the registry should be treated as a first-class infrastructure service. Placement then defines your trade-offs: your own racks and private clouds give maximum control at the cost of CAPEX, sovereign OpenStack providers such as Cyso Cloud provide regional independence and open standards, and hyperscalers offer scale and convenience but at the price of lock-in and long-term cost uncertainty.
Taken together, self-hosting your container registry application ensures that a core part of your software delivery pipeline remains under your control. In a landscape of shifting regulations, acquisitions, and pricing models, having that independence means you can adapt without disruption. The registry is small compared to other components of your platform, but strategically, it is one of the easiest wins in retaining platform resilience and freedom of choice.
Schedule a discovery call
