docs: add Registry v2 documentation

[zhhray]

Summary by CodeRabbit

• Documentation
  • Added comprehensive Registry v2 documentation covering developer workflows (accessing the registry, managing images with ac command) and administrator tasks (operator installation, configuration, exposure, access management, and cleanup).
  • Updated registry documentation to reflect Registry v2 availability and provide navigation between legacy and modern registry workflows.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR adds comprehensive Registry v2 documentation across developer and administrator guides. It establishes a two-track navigation strategy (legacy versus Registry v2), documents the Operator-managed architecture and deployment, covers storage backends and configuration, explains access patterns and authentication, covers external exposure, and provides end-to-end image management and cleanup workflows.

Changes

Registry v2 Documentation Suite

Layer / File(s)	Summary
Landing pages and navigation docs/en/developer/registry/index.mdx, docs/en/developer/registry/registry_v2/index.mdx, docs/en/configure/registry/registry_v2/index.mdx, docs/en/configure/registry/overview.mdx	Registry index now distinguishes legacy vs. Registry v2 image use. New landing pages for developer-facing image use and admin-facing Registry v2 administration introduce overviews and navigation tables directing readers to detailed subpages.
Registry v2 architecture and overview docs/en/configure/registry/registry_v2/registry_overview.mdx	Registry v2 design documented: Operator-managed integrated registry with separate blob/metadata storage, OCI push/pull endpoints versus Image API aggregation, namespace RBAC integration, detailed comparison with legacy registry across runtime/addressing/lifecycle/APIs/exposure/credentials/limits/pruning, common terminology, and automatic pruning via ImagePruner CronJob.
Operator installation and management docs/en/configure/registry/registry_v2/image_registry_operator.mdx	Operator documentation covers main runtime components (Operator/registry/API-server Deployments, APIService, node-ca DaemonSet, image-pruner CronJob, managed pull-secret controller), installation via OperatorHub and YAML, managementState enable/disable, ImagePruner reconciliation, consolidated status checks, logs/metrics access, and troubleshooting table.
Storage backend and configuration docs/en/configure/registry/registry_v2/setting_up_and_configuring_the_registry.mdx	Storage setup and operational configuration: development ephemeral emptyDir, production PVC-backed persistent storage, S3-compatible backends with credential management, managed pull-secret controller configuration, image limits via Kubernetes ResourceQuota and LimitRange, scheduled image pruning via ImagePruner/cluster, and storage operation/troubleshooting commands.
Access patterns and authentication docs/en/developer/registry/registry_v2/accessing_the_registry.mdx	Access patterns for in-cluster and external clients: prerequisites and ImageStream-layer permissions, internal registry service DNS with example Deployments, custom service-account workflows with managed pull-secret verification, external client authentication via ac registry login, Docker auth configuration, private CA and insecure registry guidance, and Image API query examples.
External exposure via Ingress docs/en/configure/registry/registry_v2/exposing_the_registry.mdx	Exposing Registry v2 externally: prerequisites, enabling default external route, configuring custom TLS-secured hosts via Config.spec.routes and TLS Secrets, client-side trust handling for private CAs, test-only insecure registry option, external access verification steps, and troubleshooting table mapping symptoms to configuration/operator/client/registry checks.
Image management with ac CLI docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx	Comprehensive ac CLI guide for end-to-end image workflows: registry mode selection (modern/legacy/auto), ImageStream/ImageStreamTag creation/import/tagging/deletion with local image lookup, Image API resource queries, deleting image references with tag preferences, direct OCI image operations (info/mirror/append/extract) with multi-arch filtering and --insecure guidance, and admin task delegation to access/cleanup documentation.
Administrative operations and cleanup docs/en/configure/registry/registry_v2/managing_access_and_cleanup.mdx	Administrator and namespace-admin tasks: granting pull/push/delete access via kubectl create rolebinding, viewing image/storage usage via ac adm top, verifying image signatures with optional trust persistence, pruning images with dry-run, retention flags, and --whitelist exclusion, running registry garbage collection, and confirmation-mode semantics for all destructive operations.
Legacy registry upgrade clarification docs/en/configure/registry/upgrade/registry_plugin_upgrade_guide.mdx	Upgrade guide clarified to explicitly reference upgrading from old registry plugin to target registry plugin while maintaining the instruction that manual intervention is required due to changed Cluster Plugin name.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• chinaran
• jianliao82

🐰 A registry so shiny and new,
With operators to manage and configure through,
Images flowing in, pruning just right,
Kubernetes-native, a wonderful sight!
The docs light the way, crystal clear,
ACP Registry v2 is here! 📚✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately describes the primary change: adding comprehensive Registry v2 documentation across multiple pages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/new-registry-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

docs/en/developer/registry/registry_v2/accessing_the_registry.mdx (1)

23-46: ⚡ Quick win

Consider using ac create rolebinding for consistency with existing documentation.

The existing Registry documentation in common_cli_command.mdx uses ac create rolebinding for namespace permission grants. While kubectl commands work correctly, using ac would maintain consistency across the Registry v2 documentation suite.

Based on learnings from docs/en/developer/registry/how_to/common_cli_command.mdx:42-110, which documents ac create rolebinding as the standard approach for Registry namespace permissions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/en/developer/registry/registry_v2/accessing_the_registry.mdx` around
lines 23 - 46, Replace the three occurrences of the kubectl rolebinding commands
(the lines starting with "kubectl create rolebinding image-puller-user",
"kubectl create rolebinding image-pusher-user", and "kubectl create rolebinding
image-puller-sa") with the equivalent "ac create rolebinding" commands to match
the project's documented standard (as used in common_cli_command.mdx); keep the
same flags (--clusterrole, --user, --serviceaccount, -n) and placeholder values
so behavior is unchanged while ensuring consistency across Registry v2 docs.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/en/developer/registry/registry_v2/migrating_from_legacy_registry.mdx`:
- Around line 221-223: The awk-based parsing of column positions is brittle
because `ac get imagestreamtags` uses default table output; update the two
command invocations (the one printing "$4 $6" for the main stream and the one
that sets VERIFY_REF from "$VERIFY_STREAM:$VERIFY_TAG") to request
wide/structured output by adding `-o wide` (or another structured format) to the
`ac get imagestreamtags` calls before piping to `awk`, ensuring stable column
positions for `$4`/`$6` extraction.
- Around line 85-90: Update the ac login snippet so it conditionally includes
the optional flags instead of always passing empty values: when ACP_IDP is set
include --idp "$ACP_IDP", and when ACP_AUTH_TYPE is set include --auth-type
"$ACP_AUTH_TYPE"; leave --username, --password, --name, --kubeconfig unchanged.
Modify the code that constructs the ac login command (the snippet using ac login
and variables like ACP_SESSION_NAME, ACP_USERNAME, ACP_PASSWORD, ACP_AUTH_TYPE,
ACP_IDP, MIGRATION_KUBECONFIG) to only append the --idp and --auth-type
arguments when their corresponding environment variables are non-empty.
- Around line 363-368: Several examples unconditionally include the --insecure
flag; update the documented commands so --insecure is not hardcoded and is only
used conditionally for HTTP/self-signed/test cert registries: remove the literal
"--insecure" from the ac image mirror examples (dry-run/copy/rerun) and from ac
image info invocations and from the metadata backfill invocation, and instead
add a short parenthetical or placeholder (e.g., "[--insecure when using
HTTP/self‑signed certs]") after the command examples so readers know to add it
only when appropriate; specifically edit the examples referencing ac image
mirror, ac image info, and the metadata backfill function call to remove the
unconditional flag and add the conditional note.

---

Nitpick comments:
In `@docs/en/developer/registry/registry_v2/accessing_the_registry.mdx`:
- Around line 23-46: Replace the three occurrences of the kubectl rolebinding
commands (the lines starting with "kubectl create rolebinding
image-puller-user", "kubectl create rolebinding image-pusher-user", and "kubectl
create rolebinding image-puller-sa") with the equivalent "ac create rolebinding"
commands to match the project's documented standard (as used in
common_cli_command.mdx); keep the same flags (--clusterrole, --user,
--serviceaccount, -n) and placeholder values so behavior is unchanged while
ensuring consistency across Registry v2 docs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 977094e8-5274-4e93-84fd-2958ef514d10

📥 Commits

Reviewing files that changed from the base of the PR and between 86d6ac3 and 8c071c5.

📒 Files selected for processing (9)

• docs/en/developer/registry/index.mdx
• docs/en/developer/registry/registry_v2/accessing_the_registry.mdx
• docs/en/developer/registry/registry_v2/exposing_the_registry.mdx
• docs/en/developer/registry/registry_v2/image_registry_operator.mdx
• docs/en/developer/registry/registry_v2/index.mdx
• docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx
• docs/en/developer/registry/registry_v2/migrating_from_legacy_registry.mdx
• docs/en/developer/registry/registry_v2/registry_overview.mdx
• docs/en/developer/registry/registry_v2/setting_up_and_configuring_the_registry.mdx

[cloudflare-workers-and-pages]

Deploying alauda-container-platform with    Cloudflare Pages

Latest commit:	e2cff46
Status:	✅  Deploy successful!
Preview URL:	https://2d80c777.alauda-container-platform.pages.dev
Branch Preview URL:	https://codex-new-registry-docs.alauda-container-platform.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/en/developer/registry/registry_v2/migrating_from_legacy_registry.mdx`:
- Line 68: The current initialization sets REGISTRY_INSECURE_FLAG default to
"--insecure", making insecure TLS the default; change the default to empty so
the flag is only present when explicitly set. Replace the export of
REGISTRY_INSECURE_FLAG="${REGISTRY_INSECURE_FLAG:---insecure}" with a
default-empty form (e.g., REGISTRY_INSECURE_FLAG="${REGISTRY_INSECURE_FLAG:-}"
or remove the default) so mirror/info/login commands do not skip cert
verification unless the user explicitly supplies "--insecure"; update any
surrounding text referencing REGISTRY_INSECURE_FLAG to reflect the new explicit
opt-in behavior.

In
`@docs/en/developer/registry/registry_v2/setting_up_and_configuring_the_registry.mdx`:
- Around line 193-206: The dry-run example uses different retention flags than
the confirmed run; update the first `ac adm prune images` example to include the
same flags `--keep-tag-revisions=5` and `--keep-younger-than=72h` so both runs
match, and leave `--confirm` only on the second `ac adm prune images ...
--confirm` example; ensure the two command examples are identical except for the
added `--confirm` flag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8d0db935-c9cd-434c-9963-369bd60ab9ad

📥 Commits

Reviewing files that changed from the base of the PR and between 8c071c5 and b6cfce0.

📒 Files selected for processing (9)

• docs/en/developer/registry/index.mdx
• docs/en/developer/registry/registry_v2/accessing_the_registry.mdx
• docs/en/developer/registry/registry_v2/exposing_the_registry.mdx
• docs/en/developer/registry/registry_v2/image_registry_operator.mdx
• docs/en/developer/registry/registry_v2/index.mdx
• docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx
• docs/en/developer/registry/registry_v2/migrating_from_legacy_registry.mdx
• docs/en/developer/registry/registry_v2/registry_overview.mdx
• docs/en/developer/registry/registry_v2/setting_up_and_configuring_the_registry.mdx

✅ Files skipped from review due to trivial changes (6)

• docs/en/developer/registry/registry_v2/registry_overview.mdx
• docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx
• docs/en/developer/registry/registry_v2/index.mdx
• docs/en/developer/registry/index.mdx
• docs/en/developer/registry/registry_v2/exposing_the_registry.mdx
• docs/en/developer/registry/registry_v2/accessing_the_registry.mdx

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/en/developer/registry/registry_v2/image_registry_operator.mdx

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep dry-run and confirmed prune flags identical.

The preview and confirm commands currently use different retention parameters, so the dry-run output may not represent what --confirm will actually delete. Keep flags the same in both commands and only add --confirm on the second run.

Suggested doc fix

-Preview manual pruning before applying it:
+Preview manual pruning before applying it (with the same flags you plan to confirm):
 
 ```bash
-ac adm prune images
+ac adm prune images \
+  --keep-tag-revisions=5 \
+  --keep-younger-than=72h

Add --confirm only after reviewing the dry-run output:

ac adm prune images \
  --keep-tag-revisions=5 \
  --keep-younger-than=72h \
  --confirm

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
@docs/en/developer/registry/registry_v2/setting_up_and_configuring_the_registry.mdx
around lines 193 - 206, The dry-run example uses different retention flags than
the confirmed run; update the first ac adm prune images example to include the
same flags --keep-tag-revisions=5 and --keep-younger-than=72h so both runs
match, and leave --confirm only on the second ac adm prune images ... --confirm example; ensure the two command examples are identical except for the
added --confirm flag.

</details>

<!-- fingerprinting:phantom:medusa:hawk -->

<!-- This is an auto-generated comment by CodeRabbit -->

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx (1)

116-117: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove unnecessary escape characters from inline code.

The backslashes before pipes in source\|local and Legacy\|PreserveOriginal are unnecessary and will render literally in the documentation. In MDX, backticks already protect the content from being interpreted as table delimiters.

📝 Proposed fix

-| `--reference-policy=source\|local` | Control whether workloads use the source reference or the local Registry reference. |
+| `--reference-policy=source|local` | Control whether workloads use the source reference or the local Registry reference. |
-| `--import-mode=Legacy\|PreserveOriginal` | Select how manifest lists and related image metadata are imported. |
+| `--import-mode=Legacy|PreserveOriginal` | Select how manifest lists and related image metadata are imported. |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx` around
lines 116 - 117, Remove the unnecessary backslashes in the inline code examples
so the pipe characters are not escaped: change `source\|local` to `source|local`
and `Legacy\|PreserveOriginal` to `Legacy|PreserveOriginal` in the table row
strings (look for the inline code snippets containing `--reference-policy` and
`--import-mode` in the file) so MDX renders the code literals correctly without
literal backslashes.

🧹 Nitpick comments (2)

docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx (2)

309-311: 💤 Low value

Consider using an absolute MDX link.

The relative link with three ../ traversals works correctly but could be replaced with an absolute path for improved clarity: /configure/registry/registry_v2/managing_access_and_cleanup.mdx.

Based on learnings: In alauda/acp-docs, absolute MDX links are preferred when relative links require many ../ traversals.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx` around
lines 309 - 311, The relative MDX link
"../../../configure/registry/registry_v2/managing_access_and_cleanup.mdx" should
be replaced with the project-preferred absolute MDX path
"/configure/registry/registry_v2/managing_access_and_cleanup.mdx"; update the
link in the "Administrative Operations" section (the line containing the
relative link) to use the absolute path string so the document points directly
to the target without "../" traversal.

Source: Learnings

---

41-41: 💤 Low value

Consider using an absolute MDX link.

The relative link with three ../ traversals works correctly but could be replaced with an absolute path for improved clarity: /configure/registry/registry_v2/managing_access_and_cleanup.mdx.

Based on learnings: In alauda/acp-docs, absolute MDX links are preferred when relative links require many ../ traversals.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx` at line
41, The relative MDX link
"../../../configure/registry/registry_v2/managing_access_and_cleanup.mdx" in the
sentence "Administrative usage reporting, cleanup, and trust verification are
documented in [Managing Registry v2 access and cleanup](...)" should be replaced
with the absolute path
"/configure/registry/registry_v2/managing_access_and_cleanup.mdx"; update the
link target in that link occurrence so it becomes [Managing Registry v2 access
and cleanup](/configure/registry/registry_v2/managing_access_and_cleanup.mdx).

Source: Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx`:
- Around line 116-117: Remove the unnecessary backslashes in the inline code
examples so the pipe characters are not escaped: change `source\|local` to
`source|local` and `Legacy\|PreserveOriginal` to `Legacy|PreserveOriginal` in
the table row strings (look for the inline code snippets containing
`--reference-policy` and `--import-mode` in the file) so MDX renders the code
literals correctly without literal backslashes.

---

Nitpick comments:
In `@docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx`:
- Around line 309-311: The relative MDX link
"../../../configure/registry/registry_v2/managing_access_and_cleanup.mdx" should
be replaced with the project-preferred absolute MDX path
"/configure/registry/registry_v2/managing_access_and_cleanup.mdx"; update the
link in the "Administrative Operations" section (the line containing the
relative link) to use the absolute path string so the document points directly
to the target without "../" traversal.
- Line 41: The relative MDX link
"../../../configure/registry/registry_v2/managing_access_and_cleanup.mdx" in the
sentence "Administrative usage reporting, cleanup, and trust verification are
documented in [Managing Registry v2 access and cleanup](...)" should be replaced
with the absolute path
"/configure/registry/registry_v2/managing_access_and_cleanup.mdx"; update the
link target in that link occurrence so it becomes [Managing Registry v2 access
and cleanup](/configure/registry/registry_v2/managing_access_and_cleanup.mdx).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e798a3e6-d678-4644-b2b6-cd557ecac90f

📥 Commits

Reviewing files that changed from the base of the PR and between b6cfce0 and 9138d0d.

📒 Files selected for processing (12)

• docs/en/configure/registry/overview.mdx
• docs/en/configure/registry/registry_v2/exposing_the_registry.mdx
• docs/en/configure/registry/registry_v2/image_registry_operator.mdx
• docs/en/configure/registry/registry_v2/index.mdx
• docs/en/configure/registry/registry_v2/managing_access_and_cleanup.mdx
• docs/en/configure/registry/registry_v2/migrating_from_legacy_registry.mdx
• docs/en/configure/registry/registry_v2/registry_overview.mdx
• docs/en/configure/registry/registry_v2/setting_up_and_configuring_the_registry.mdx
• docs/en/developer/registry/index.mdx
• docs/en/developer/registry/registry_v2/accessing_the_registry.mdx
• docs/en/developer/registry/registry_v2/index.mdx
• docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx

💤 Files with no reviewable changes (2)

• docs/en/configure/registry/registry_v2/image_registry_operator.mdx
• docs/en/configure/registry/registry_v2/exposing_the_registry.mdx

✅ Files skipped from review due to trivial changes (9)

• docs/en/configure/registry/overview.mdx
• docs/en/configure/registry/registry_v2/index.mdx
• docs/en/developer/registry/index.mdx
• docs/en/configure/registry/registry_v2/registry_overview.mdx
• docs/en/developer/registry/registry_v2/index.mdx
• docs/en/configure/registry/registry_v2/setting_up_and_configuring_the_registry.mdx
• docs/en/configure/registry/registry_v2/migrating_from_legacy_registry.mdx
• docs/en/configure/registry/registry_v2/managing_access_and_cleanup.mdx
• docs/en/developer/registry/registry_v2/accessing_the_registry.mdx

[coderabbitai]

🧹 Nitpick comments (3)

docs/en/configure/registry/registry_v2/image_registry_operator.mdx (2)

71-73: ⚡ Quick win

Document why privileged pod-security is required.

Setting pod-security labels to privileged without explanation may lead users to copy this configuration without understanding the security implications. Document why the image-registry-system namespace requires privileged access (e.g., for the node-ca DaemonSet that modifies node trust configuration, or for registry storage access).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/en/configure/registry/registry_v2/image_registry_operator.mdx` around
lines 71 - 73, Add a short explanatory paragraph after the pod-security label
block that justifies why the image-registry-system namespace requires
pod-security.kubernetes.io/audit/enforce/warn=privileged, mention the specific
components that need it (e.g., the node-ca DaemonSet which modifies node trust
configuration and registry pods that require low-level storage/node access),
call out the security implications of using privileged pods, and provide
mitigation options or alternatives (tighten PodSecurityPolicy/PSP equivalents,
use RBAC, restrict to specific ServiceAccounts, or explain why hostPath/device
access is necessary) so readers understand necessity and risks.

---

205-207: 💤 Low value

Clarify whether the service account name is an example.

The command references system:serviceaccount:cpaas-system:prometheus-sa. Clarify whether this is the actual service account name for the monitoring system, or if it's a placeholder example that users should replace with their own monitoring service account.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/en/configure/registry/registry_v2/image_registry_operator.mdx` around
lines 205 - 207, The cited kubectl command uses the service account identifier
system:serviceaccount:cpaas-system:prometheus-sa but it's unclear if that's a
real account or an example; update the text around the command (the line
containing "kubectl auth can-i ...
--as=system:serviceaccount:cpaas-system:prometheus-sa") to explicitly state that
this is an example placeholder and instruct users to replace it with their
monitoring service account (or show an explicit placeholder form like
system:serviceaccount:<namespace>:<service-account-name>), so readers know to
substitute their own values.

docs/en/developer/registry/registry_v2/accessing_the_registry.mdx (1)

30-30: 💤 Low value

Consider using an absolute MDX link for clarity.

The relative link ../../../configure/... requires three parent-directory traversals. Based on learnings, absolute MDX links are preferred in this repository when relative paths become complex.

♻️ Proposed refactor

-For role binding examples, see [Managing Registry v2 access and cleanup](../../../configure/registry/registry_v2/managing_access_and_cleanup.mdx).
+For role binding examples, see [Managing Registry v2 access and cleanup](/configure/registry/registry_v2/managing_access_and_cleanup.mdx).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/en/developer/registry/registry_v2/accessing_the_registry.mdx` at line
30, Replace the relative MDX link
"../../../configure/registry/registry_v2/managing_access_and_cleanup.mdx" with
an absolute MDX link to the same target (e.g.
"/configure/registry/registry_v2/managing_access_and_cleanup.mdx") in the line
that reads "For role binding examples, see [Managing Registry v2 access and
cleanup](../../../configure/registry/registry_v2/managing_access_and_cleanup.mdx)";
keep the link text identical and only change the URL to the absolute path so the
reference is clear and avoids deep parent-directory traversal.

Source: Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/en/configure/registry/registry_v2/image_registry_operator.mdx`:
- Around line 71-73: Add a short explanatory paragraph after the pod-security
label block that justifies why the image-registry-system namespace requires
pod-security.kubernetes.io/audit/enforce/warn=privileged, mention the specific
components that need it (e.g., the node-ca DaemonSet which modifies node trust
configuration and registry pods that require low-level storage/node access),
call out the security implications of using privileged pods, and provide
mitigation options or alternatives (tighten PodSecurityPolicy/PSP equivalents,
use RBAC, restrict to specific ServiceAccounts, or explain why hostPath/device
access is necessary) so readers understand necessity and risks.
- Around line 205-207: The cited kubectl command uses the service account
identifier system:serviceaccount:cpaas-system:prometheus-sa but it's unclear if
that's a real account or an example; update the text around the command (the
line containing "kubectl auth can-i ...
--as=system:serviceaccount:cpaas-system:prometheus-sa") to explicitly state that
this is an example placeholder and instruct users to replace it with their
monitoring service account (or show an explicit placeholder form like
system:serviceaccount:<namespace>:<service-account-name>), so readers know to
substitute their own values.

In `@docs/en/developer/registry/registry_v2/accessing_the_registry.mdx`:
- Line 30: Replace the relative MDX link
"../../../configure/registry/registry_v2/managing_access_and_cleanup.mdx" with
an absolute MDX link to the same target (e.g.
"/configure/registry/registry_v2/managing_access_and_cleanup.mdx") in the line
that reads "For role binding examples, see [Managing Registry v2 access and
cleanup](../../../configure/registry/registry_v2/managing_access_and_cleanup.mdx)";
keep the link text identical and only change the URL to the absolute path so the
reference is clear and avoids deep parent-directory traversal.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f5b46a7d-fc19-495b-8911-ee820f704868

📥 Commits

Reviewing files that changed from the base of the PR and between 9138d0d and 0dd3c12.

📒 Files selected for processing (8)

• docs/en/configure/registry/registry_v2/exposing_the_registry.mdx
• docs/en/configure/registry/registry_v2/image_registry_operator.mdx
• docs/en/configure/registry/registry_v2/managing_access_and_cleanup.mdx
• docs/en/configure/registry/registry_v2/migrating_from_legacy_registry.mdx
• docs/en/configure/registry/registry_v2/setting_up_and_configuring_the_registry.mdx
• docs/en/configure/registry/upgrade/registry_plugin_upgrade_guide.mdx
• docs/en/developer/registry/registry_v2/accessing_the_registry.mdx
• docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx

💤 Files with no reviewable changes (1)

• docs/en/developer/registry/registry_v2/managing_images_with_ac.mdx

✅ Files skipped from review due to trivial changes (3)

• docs/en/configure/registry/upgrade/registry_plugin_upgrade_guide.mdx
• docs/en/configure/registry/registry_v2/setting_up_and_configuring_the_registry.mdx
• docs/en/configure/registry/registry_v2/exposing_the_registry.mdx