Description of problem: When assign registry-admin role to group system:unauthenticated in a project and inspect the internal image, cannot information about image-name in the internal registry. Version-Release number of selected component (if applicable): 4.10.0-0.nightly-2021-10-25-190146 How reproducible: always Steps to Reproduce: 1.Create a new project pj1 2. Assign registry-admin role to group system:unauthenticated $oc policy add-role-to-user registry-admin system:anonymous -n pj1 3.Create a build $oc new-build ruby\~https://github.com/sclorg/ruby-ex.git $ oc get is NAME IMAGE REPOSITORY TAGS UPDATED ruby-ex image-registry.openshift-image-registry.svc:5000/pj1/ruby-ex latest 43 minutes ago 4. Create skopeo pods with the file: ``` { "apiVersion": "v1", "kind": "DeploymentConfig", "metadata": { "labels": { "name": "skopeo" }, "name": "skopeo" }, "spec": { "replicas": 1, "selector": { "name": "skopeo" }, "strategy": { "activeDeadlineSeconds": 21600, "resources": {}, "rollingParams": { "intervalSeconds": 1, "maxSurge": "25%", "maxUnavailable": "25%", "timeoutSeconds": 600, "updatePeriodSeconds": 1 }, "type": "Rolling" }, "template": { "metadata": { "labels": { "name": "skopeo" } }, "spec": { "containers": [ { "args": [ "bash", "-c", "while : ; do sleep 15m ; done" ], "image": "quay.io/openshifttest/skopeo@sha256:d59939bb619bc98613b2a0403022bf97442ca8c67efaa43deac33122703deabb", "imagePullPolicy": "IfNotPresent", "name": "skopeo", "resources": {}, "terminationMessagePath": "/dev/termination-log", "terminationMessagePolicy": "File" } ], "restartPolicy": "Always", "terminationGracePeriodSeconds": 30 } }, "triggers": [ { "type": "ConfigChange" } ] } } ``` 5. Get default sa token $oc serviceaccounts get-token 'default' 6. Get internal image ruby-ex info $ oc exec skopeo-1-th6vv -i -- skopeo --debug --insecure-policy inspect --tls-verify\=false --creds eyJhbGciOiJSUzI1NiIsImtpZCI6ImpBQXFGYWtiMWYyRTBxdGRXWDFvVHVOM3BUcU1nV0hMNmlwcm1OZ0JKaE0ifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJwajEiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGVmYXVsdC10b2tlbi05MnBkZiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiZjM0MWY1OGQtZWY5Yi00ZDU1LTk4NjctNTUxZGViZjQ4ZjQ5Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnBqMTpkZWZhdWx0In0.Q-o0LMXyzWxegGSifw2GSJMfF2FqmGpeoA3v093Sz5115nk8n6UET_CW18Y5leNQ5eBMhIRNWofEbT40SkiQd0rTKSF10SkoLaMm_RjUSwHEqiDBxQdCqCrR3S7dtYxHP01dggpKxc7ua4-xEOgk5skaWvljHE52J2Gwu8tseJRzqHbevkmQa3I-TG5RwVEbVMEl404ir4VUmyQURQQHaHVPJ0779weNMUtM2JMNWTRi8gsgMZKQpZAOXxVmSUOfCnHtn2z40w7eJHLdcYdKzt-tY3mF-VnT1k2a6j6lwzJjGcOGBZdnG2UOiSllsssu6G4XVFkjblOXF-HrXQZ3iey8H4VZlW68S1kkRCF446DM2LE1s2-PuvdCiNsskt3XZDs-JwpUrxxxxxG6LnJhIZzw1LANq6lW9-u2QrEcfqEtc1PVa-VRSC6e62JRcYvhz897MjI59NDQ2iqkFI1aNSR8FtXHEhSoMocQV8nHPerAbnjnhnVofP3jxgZbWFRUIkcklku-IpxvM1qPk48W8XtggTFYbFkvzboZH5N85rTb8gs1pbKWhXcH8BRB6tIzTuASwfsEIEO2snoh7QFMIDaADy-4liIT_nCcpZTdeP8IKywUgEh-avFFVa37VDEiYXlQGAa-aryQ69kGKbF9DuCFDn0oYsbHi6qA1NMdpjuUalFk docker://image-registry.openshift-image-registry.svc:5000/pj1/ruby-ex:latest time="2021-10-27T08:03:46Z" level=debug msg="Using registries.d directory /etc/containers/registries.d for sigstore configuration" time="2021-10-27T08:03:46Z" level=debug msg=" No signature storage configuration found for image-registry.openshift-image-registry.svc:5000/pj1/ruby-ex:latest" time="2021-10-27T08:03:46Z" level=debug msg="GET https://image-registry.openshift-image-registry.svc:5000/v2/" time="2021-10-27T08:03:46Z" level=debug msg="Ping https://image-registry.openshift-image-registry.svc:5000/v2/ err <nil>" time="2021-10-27T08:03:46Z" level=debug msg="Ping https://image-registry.openshift-image-registry.svc:5000/v2/ status 401" time="2021-10-27T08:03:46Z" level=debug msg="GET https://image-registry.openshift-image-registry.svc:5000/v2/pj1/ruby-ex/manifests/latest" time="2021-10-27T08:03:46Z" level=fatal msg="unauthorized: authentication required" command terminated with exit code 1 Actual results: Cannot get image info Expected results: Should get correct image info Additional info: It works in 4.9 version as below: $ oc exec skopeo-1-jmn8b -i -- skopeo --debug --insecure-policy inspect --tls-verify\=false --creds eyJhbGciOiJSUzI1NiIsImtpZCI6IjFUdGQ2N3NINUJvN2ZpQUxpWnBUNVk5NGFsTGQ2Rlc2VEdSYXBndHFKNEUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJwajEiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGVmYXVsdC10b2tlbi1wc3FndCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODNjN2UzOWQtNTVjMS00MWQwLTljZWYtZmI5MzdjOGQ4MjZkIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnBqMTpkZWZhdWx0In0.EjUB_434UMlRo7nWKd2v78Ku8GPmavFPkOOBG5NYFjIUaVYWfNqr9RmvDfLIwuL34ds_rCNlkON8vBYgle26dQ6gJWwKr63BYqijA5O_I2hTwf6_bu4IZ9auIEWmYC38nXbUvdTCwa3o--BjP_0pvY427-Yt9JU89NKnARJgoXtuB3viXT2GPUaOKBXKnmZ2aRc4rG7-V-Z3n5ssQYmtFKqFINX-hHGta--qmJZc7Z6T4BpwivxFbMEYvsy9kxhQkWgw3uwOk4xAbD8umBV1SNBC65p24zxg98DLBV13erUfv-GUJj95T1ydWnFa9lX3oWp_fPv8N-p8LLVwL6o3_H9IhXa_8rdZ6mlVwQeGA4mTJd0aFX6--maFzfGTubVeYECtw471FF8JgRBOevyENCqw_j5p2To2hdw-NgjpqvMtngEp7EGPXTzlWR1JGvRnMxz-l9lpLcUg2LU6hrKTu_42OzIS9YyPvkoq8Zvo60cOw6E5vZaYiZbwTvR0h2X1J-cOtCJl6SWnVzZANvhHOjBaKJZ4gcXUsJa4nq8XrIckLZBe4_Amxxxxxxxxx6-vlojXATNpEZL3yXylHu8NQyHiYTRa3Q-qxX9ewbIXtyVO_ssssssssssszp8yHJ6aIKuJq-lejBUBBXf8qS6JZ6Gb2A7xURE5J3tujLvsA3fn8 docker://image-registry.openshift-image-registry.svc:5000/pj1/ruby-ex:latest time="2021-10-27T08:08:17Z" level=debug msg="Using registries.d directory /etc/containers/registries.d for sigstore configuration" time="2021-10-27T08:08:17Z" level=debug msg=" No signature storage configuration found for image-registry.openshift-image-registry.svc:5000/pj1/ruby-ex:latest" time="2021-10-27T08:08:17Z" level=debug msg="GET https://image-registry.openshift-image-registry.svc:5000/v2/" time="2021-10-27T08:08:17Z" level=debug msg="Ping https://image-registry.openshift-image-registry.svc:5000/v2/ err <nil>" time="2021-10-27T08:08:17Z" level=debug msg="Ping https://image-registry.openshift-image-registry.svc:5000/v2/ status 401" time="2021-10-27T08:08:17Z" level=debug msg="Increasing token expiration to: 60 seconds" time="2021-10-27T08:08:17Z" level=debug msg="GET https://image-registry.openshift-image-registry.svc:5000/v2/pj1/ruby-ex/manifests/latest" time="2021-10-27T08:08:17Z" level=debug msg="Downloading /v2/pj1/ruby-ex/blobs/sha256:b4a96f62f0af8139d6de1d6fd97de20d010b484aac14cf17dae51cec713b1f6f" time="2021-10-27T08:08:17Z" level=debug msg="GET https://image-registry.openshift-image-registry.svc:5000/v2/pj1/ruby-ex/blobs/sha256:b4a96f62f0af8139d6de1d6fd97de20d010b484aac14cf17dae51cec713b1f6f" time="2021-10-27T08:08:17Z" level=debug msg="GET https://image-registry.openshift-image-registry.svc:5000/v2/pj1/ruby-ex/tags/list" { "Name": "image-registry.openshift-image-registry.svc:5000/pj1/ruby-ex", "Digest": "sha256:5868e23c08b12a4bff0fd983daa45c2b4a7d378c45809409ce728e39cff9ad9c", "RepoTags": [ "latest" ], "Created": "2021-10-27T08:07:23.947934201Z", "DockerVersion": "", "Labels": { "architecture": "x86_64", "build-date": "2021-10-12T10:58:52.248123", "com.redhat.build-host": "cpt-1001.osbs.prod.upshift.rdu2.redhat.com", "com.redhat.component": "ruby-27-container", "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI", "description": "Ruby 2.7 available as container is a base platform for building and running various Ruby 2.7 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.", "distribution-scope": "public", "io.buildah.version": "1.20.1", "io.k8s.description": "Ruby 2.7 available as container is a base platform for building and running various Ruby 2.7 applications and frameworks. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.", "io.k8s.display-name": "Ruby 2.7", "io.openshift.build.commit.author": "Honza Horak \u003chhorak\u003e", "io.openshift.build.commit.date": "Fri Aug 21 13:44:47 2020 +0200", "io.openshift.build.commit.id": "01effef3a23935c1a83110d4b074b0738d677c44", "io.openshift.build.commit.message": "Merge pull request #35 from pvalena/bundler", "io.openshift.build.commit.ref": "master", "io.openshift.build.image": "image-registry.openshift-image-registry.svc:5000/openshift/ruby@sha256:b071f6c2b8f2b3258ee3f078a6c873a18878088bd74af3b855f540deefedc921", "io.openshift.build.source-location": "https://github.com/sclorg/ruby-ex.git", "io.openshift.expose-services": "8080:http", "io.openshift.s2i.scripts-url": "image:///usr/libexec/s2i", "io.openshift.tags": "builder,ruby,ruby27,ruby-27", "io.s2i.scripts-url": "image:///usr/libexec/s2i", "maintainer": "SoftwareCollections.org \u003csclorg\u003e", "name": "ubi8/ruby-27", "release": "39.1634036267", "summary": "Platform for building and running Ruby 2.7 applications", "url": "https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/ruby-27/images/1-39.1634036267", "usage": "s2i build https://github.com/sclorg/s2i-ruby-container.git --context-dir=2.7/test/puma-test-app/ ubi8/ruby-27 ruby-sample-app", "vcs-ref": "9a3f6c02fc37b88d48f4dbc3ad177ead158d4788", "vcs-type": "git", "vendor": "Red Hat, Inc.", "version": "1" }, "Architecture": "amd64", "Os": "linux", "Layers": [ "sha256:262268b65bd5f33784d6a61514964887bc18bc00c60c588bc62bfae7edca46f1", "sha256:06038631a24a25348b51d1bfc7d0a0ee555552a8998f8328f9b657d02dd4c64c", "sha256:44115d860fcecaa250b811cc4120d7ba18a2250bada1fe15199de53cefde7fc7", "sha256:c5a7d3bb6c978700136f58b53f70fa6440877349889c7e1a7ef9329f693a965d", "sha256:8675660e94877e470be3a07966bef1bd4b21f8370bde29afe37f6f75dff540fb", "sha256:cafee92d9ca549cf68760129f6ca82f4ccd302c40f73249efb509ac745315243" ] }
system:unauthenticated does not include authenticated requests. If you need to make your image publicly available, you need to grant access to system:unauthenticated and system:authenticated. Or you need to pull the image without credentials.
Hi Oleg, But registry-admin role has been assigned to user as comment #0, so the user can have read rights on the images at least, it works below 4.10 version.