Every container platform needs somewhere to keep the images it builds before it deploys them. On Google Cloud, that place is Artifact Registry. This guide explains what it is, how it differs from the older Container Registry, and where it sits in a build-to-deploy pipeline.
What a container registry does
When you build a container image, you produce an artifact — a tarball of layers plus a manifest describing them. To run that image somewhere else (a Kubernetes cluster, another machine), you need to store and distribute it. That's a container registry: a server that stores images, addressed by registry/repository:tag or by content digest, and serves them to whoever's allowed to pull.
Docker Hub is the public example. Artifact Registry is Google Cloud's managed, private equivalent — and more.
What Artifact Registry is
Artifact Registry is GCP's unified, managed repository for build artifacts. "Unified" is the key word: beyond container images (Docker/OCI), it also hosts language-package formats:
- Container/OCI images
- npm packages
- Maven / Gradle (Java)
- Python (PyPI-style)
- Go modules, Apt, and Yum repos
So one service can be your image registry *and* your private package registry, with consistent IAM and regional placement.
How it improves on Container Registry (GCR)
Artifact Registry is the successor to Google Container Registry (GCR), which Google has deprecated in favor of it. The improvements:
| Capability | Container Registry (GCR) | Artifact Registry |
|---|---|---|
| Artifact types | Container images only | Images + npm/Maven/PyPI/Go/Apt/Yum |
| Repositories | One per project per host | Multiple, granular repos |
| Access control | Bucket-level (coarse) | Per-repository IAM (fine-grained) |
| Regional control | Limited | Explicit per-repo regions/multi-region |
| Vulnerability scanning | Add-on | Integrated scanning |
The fine-grained, per-repository IAM is the standout: you can grant a CI service account push access to one repo without exposing everything in the project.
Key concepts
- Repository: a named container for artifacts of one format in one location (e.g.
us-docker.pkg.dev/my-project/my-images). - Location: a region or multi-region where the repo lives. Co-locate with your cluster to cut pull latency and egress.
- Image reference:
LOCATION-docker.pkg.dev/PROJECT/REPO/IMAGE:TAG. - Digest: a content-addressed
sha256:...identifier. Deploying by digest guarantees you run the exact bytes you built — immune to tag reuse.
A typical push/pull flow
Authenticate Docker to Artifact Registry, then push:
# Configure Docker auth for the region
gcloud auth configure-docker us-docker.pkg.dev
# Tag and push
docker tag myapp:latest \
us-docker.pkg.dev/my-project/my-images/myapp:1.2.3
docker push us-docker.pkg.dev/my-project/my-images/myapp:1.2.3Pulling (e.g. from Kubernetes) just references the same path, with the cluster's service account granted reader access.
Why digests beat tags in production
Tags are mutable — :latest today isn't :latest tomorrow. For reproducible deploys, reference the digest:
us-docker.pkg.dev/my-project/my-images/myapp@sha256:abc123...This guarantees the deployed image is byte-identical to what you tested, which matters for rollbacks and audits.
Where it fits in a pipeline
Artifact Registry is the handoff point between *build* and *deploy*:
Git push → build image → PUSH to Artifact Registry → deploy pulls image → running appThe registry decouples the two halves. The builder doesn't need to know how deployment works; the deployer doesn't need to rebuild. They agree on an immutable image reference, and the registry holds it.
How PandaStack uses Artifact Registry
When you push to a connected repo, PandaStack builds your image with rootless BuildKit in an ephemeral Kubernetes Job pod, then pushes the resulting image to Google Artifact Registry. From there a Helm deploy pulls the image into the multi-region GKE cluster and your app goes live. You never interact with the registry directly — but it's the durable, content-addressed store that makes builds and deploys cleanly separable, and rollbacks possible.
Cost and housekeeping notes
- Storage is billed by what you keep. Old image versions accumulate; set cleanup policies to expire untagged or old artifacts.
- Egress matters. Pulling across regions costs more and is slower; keep the registry near the cluster.
- Scan your images. Integrated vulnerability scanning catches known CVEs in your base images before they reach production.
References
- [Google Artifact Registry documentation](https://cloud.google.com/artifact-registry/docs)
- [Artifact Registry vs Container Registry transition](https://cloud.google.com/artifact-registry/docs/transition/transition-from-gcr)
- [OCI image specification](https://github.com/opencontainers/image-spec)
- [Artifact Registry IAM roles](https://cloud.google.com/artifact-registry/docs/access-control)
- [Vulnerability scanning in Artifact Registry](https://cloud.google.com/artifact-registry/docs/analysis)
---
On PandaStack, Artifact Registry runs quietly behind your deploys — you just push code and get a content-addressed, rollback-ready image. See it work end to end on the free tier at [dashboard.pandastack.io](https://dashboard.pandastack.io).