Overview

Bifrost Enterprise provides private container image distribution through dedicated registries, enabling secure deployments in AWS, GCP, Azure, and on-premise environments.

Architecture

Bifrost uses a hub-and-spoke model with two container registries optimized for each cloud platform:

Registry Distribution

Customer Cloud	Registry Source	Why
AWS	AWS ECR	Native IAM integration, lowest latency within AWS
GCP	GCP Artifact Registry	Native Workload Identity, lowest latency within GCP
Azure	GCP Artifact Registry	Workload Identity Federation from Azure to GCP
On-Premise	GCP Artifact Registry	Basic auth with username/password credentials

Authentication Methods

Choose the authentication method based on your deployment environment:

Environment	Method	Security Level	Setup Complexity
AWS EKS	IRSA	High	Medium
AWS ECS	IAM Task Roles	High	Low
GCP GKE	Workload Identity	High	Low
Azure AKS	Azure WIF	High	Medium
On-Premise	Basic Auth	Medium	Low

Cloud-native identity federation (IRSA, Workload Identity, Azure WIF) is recommended over static credentials for production deployments.

Security Features

Encryption

In-Transit: All registry communication uses TLS 1.3
At-Rest: Images encrypted using cloud-native encryption (AWS KMS, GCP CMEK)

Access Control

IAM-based: Fine-grained permissions using cloud IAM policies
Audit Logging: All image pull operations are logged for compliance
IP Restrictions: Optional VPC Service Controls (GCP) or VPC endpoints (AWS)

Image Security

Vulnerability Scanning: Automatic scanning on push
Immutable Tags: Optional tag immutability to prevent overwrites
Signed Images: Container image signatures for verification

Prerequisites

Before deploying Bifrost Enterprise, ensure you have:

AWS
GCP
Azure
On-Premise

AWS account with ECR access
EKS cluster (v1.23+) or ECS cluster
IAM permissions to create roles and policies
kubectl and aws CLI configured

GCP project with Artifact Registry API enabled
GKE cluster (v1.24+) with Workload Identity enabled
IAM permissions for service account management
kubectl and gcloud CLI configured

Azure subscription with AKS
AKS cluster (v1.24+) with Workload Identity enabled
Permissions to create Managed Identities
kubectl and az CLI configured

Kubernetes cluster (v1.23+) or Docker runtime
Network access to us-central1-docker.pkg.dev
Docker credentials provided by Bifrost team

Getting Started

AWS Deployment

Deploy on EKS or ECS with IRSA authentication

GCP Deployment

Deploy on GKE with Workload Identity

Azure Deployment

Deploy on AKS with Azure Workload Identity Federation

On-Premise

Deploy anywhere with Docker credentials

Support

For enterprise deployment assistance:

Email: [email protected]
Slack: Connect via Slack Connect for real-time support
Documentation: Platform-specific guides linked above

Platform specific guides

Enterprise Deployment

Common setup instructions

Architecture

Registry Distribution

Authentication Methods

Security Features

Encryption

Access Control

Image Security

Prerequisites

Getting Started

AWS Deployment

GCP Deployment

Azure Deployment

On-Premise

Support

Platform specific guides

Enterprise Deployment

Common setup instructions

​Architecture

​Registry Distribution

​Authentication Methods

​Security Features

​Encryption

​Access Control

​Image Security

​Prerequisites

​Getting Started

AWS Deployment

GCP Deployment

Azure Deployment

On-Premise

​Support

Architecture

Registry Distribution

Authentication Methods

Security Features

Encryption

Access Control

Image Security

Prerequisites

Getting Started

Support