Description of problem: If define docker.io in images.config.openshift.io/cluster as below: spec: registrySources: blockedRegistries: - docker.io Library images can still be imported, but cannot with docker.io/library prefix: $ oc import-image myimage4 --from=busybox --confirm=true imagestream.image.openshift.io/myimage4 imported Name: myimage4 Namespace: wzheng1 Created: 1 second ago Labels: <none> Annotations: openshift.io/image.dockerRepositoryCheck=2020-07-29T09:32:45Z Image Repository: image-registry.openshift-image-registry.svc:5000/wzheng1/myimage4 Image Lookup: local=false Unique Images: 1 Tags: 1 latest tagged from busybox * busybox@sha256:400ee2ed939df769d4681023810d2e4fb9479b8401d97003c710d0e20f7c49c6 1 second ago Image Name: myimage4:latest Docker Image: busybox@sha256:400ee2ed939df769d4681023810d2e4fb9479b8401d97003c710d0e20f7c49c6 Name: sha256:400ee2ed939df769d4681023810d2e4fb9479b8401d97003c710d0e20f7c49c6 Created: 1 second ago Annotations: image.openshift.io/dockerLayersOrder=ascending Image Size: 765.3kB in 1 layers Layers: 763.8kB sha256:61c5ed1cbdf8e801f3b73d906c61261ad916b2532d6756e7c4fbcacb975299fb Image Created: 33 hours ago Author: <none> Arch: amd64 Command: sh Working Dir: <none> User: <none> Exposes Ports: <none> Docker Labels: <none> Environment: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin $ oc import-image myimage6 --from=docker.io/library/busybox --confirm=true error: tag failed: forbidden: registry docker.io blocked imagestream.image.openshift.io/myimage6 imported with errors Name: myimage6 Namespace: wzheng1 Created: Less than a second ago Labels: <none> Annotations: openshift.io/image.dockerRepositoryCheck=2020-07-29T09:36:06Z Image Repository: image-registry.openshift-image-registry.svc:5000/wzheng1/myimage6 Image Lookup: local=false Unique Images: 0 Tags: 1 latest tagged from docker.io/library/busybox ! error: Import failed (Forbidden): forbidden: registry docker.io blocked Less than a second ago Version-Release number of selected component (if applicable): 4.6.0-0.nightly-2020-07-25-091217 How reproducible: Always Steps to Reproduce: 1.Define as below in images.config.openshift.io/cluster as below: spec: registrySources: blockedRegistries: - docker.io 2.After cluster finish restarting, import busybox image 3.Import image docker.io/library/busybox Actual results: 2. Succeed 3. Failed Expected results: Should be failed Additional info: skopeo inspect docker://busybox@sha256:400ee2ed939df769d4681023810d2e4fb9479b8401d97003c710d0e20f7c49c6 { "Name": "docker.io/library/busybox",
Verified on 4.6.0-0.nightly-2020-08-17-184032: $ oc import-image myimage4 --from=busybox --confirm=true error: tag failed: forbidden: registry blocked imagestream.image.openshift.io/myimage4 imported with errors Name: myimage4 Namespace: wzheng1 Created: Less than a second ago Labels: <none> Annotations: openshift.io/image.dockerRepositoryCheck=2020-08-18T09:51:37Z Image Repository: image-registry.openshift-image-registry.svc:5000/wzheng1/myimage4 Image Lookup: local=false Unique Images: 0 Tags: 1 latest tagged from busybox ! error: Import failed (Forbidden): forbidden: registry blocked Less than a second ago
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196