Description of problem: In certain scenarios like INT/STG testing, QE and Ops need the ability to make the registry (or even just certain projects) world-readable and therefore available for public pulls. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: I've tried the following in an attempt to open the registry up publicly. But it hasn't had the intended effect: oc policy add-role-to-group registry-viewer system:unauthenticated Is there maybe some additional configuration that needs to happen for the registry-viewer role to be applied to unauthenticated users?
I'm not sure we allow at all access to any kind of resources to unauthenticated users. David or Jordan may know that, guys?
We need to backport https://github.com/openshift/origin/pull/9887 for that.
Ops was able to work around this by deploying an apache frontend pod to provide the authentication for pulls. So we have a publicly-readable docker registry now, using the ose-docker-registry pod as the backend. So we no longer need this functionality from the builtin registry. Thanks,
I mean the authentication for *pushes, sorry. Pulls require no authentication on Ops's registry app.
Today only the INT has 3.3 env , but the route for docker-registry not work. Will verify this bug when env ready.
Confirmed with OCP3.3.0.17, the issue has fixed. Check the ~/.docker/config.json, make sure no credentials from your dockercfg related to your docker registry. 1)First pull image from docker-registry without the registry-viewer role, will pull failed: docker pull 172.31.224.149:5000/zhouy/deployment-example Using default tag: latest Trying to pull repository 172.31.224.149:5000/zhouy/deployment-example ... Pulling repository 172.31.224.149:5000/zhouy/deployment-example Error: image zhouy/deployment-example not found 2)Grant the registry-viewer role to system:anonymous user, then pull again, will pull succeed: oc policy add-role-to-user registry-viewer system:anonymous docker pull 172.31.224.149:5000/zhouy/deployment-example Using default tag: latest Trying to pull repository 172.31.224.149:5000/zhouy/deployment-example ... latest: Pulling from 172.31.224.149:5000/zhouy/deployment-example a3ed95caeb02: Pull complete 50438f3701c4: Pull complete Digest: sha256:ea9135488f323060cb18ab3ec06286cd49e4b3a611fce1a6a442651ecf421f99 Status: Downloaded newer image for 172.31.224.149:5000/zhouy/deployment-example:latest