Valentin, can you take a look at this please?

Valentin, ignore this, I think this is a CRIO issue and will send it to the node team to look at.

I believe this is a kind of duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1975976#c4

basically, this has to do with the interaction between ISCP and the node's policy.json. ICSP only configures the node's registries.conf (showing what registries mirror to what) but don't specify how one is supposed to interact with such registries (authenticated, blocked, always allowed).

I am going to reassign to Qi, as this is more in her perview, but this reads as a feature request to me.

This is not #1975956 , which deals with the "blocked" flag and mirrors.

This is a known and, AFAIK, documented limitation of ICSP: The CRI only allows providing one set of credentials, so any Pod pull secrets for the mirrors are invisible to CRI-O.

A fix is tracked e.g. in https://issues.redhat.com/browse/RFE-1956 , which links to a few other work items. There might well be other bugs / issues referring to this.

(In reply to Miloslav Trmač from comment #4)
> This is not #1975956 , which deals with the "blocked" flag and mirrors.
> 
> This is a known and, AFAIK, documented limitation of ICSP: The CRI only
> allows providing one set of credentials, so any Pod pull secrets for the
> mirrors are invisible to CRI-O.
> 
> A fix is tracked e.g. in https://issues.redhat.com/browse/RFE-1956 , which
> links to a few other work items. There might well be other bugs / issues
> referring to this.

Thanks for letting me know, in that case I believe it makes sense to close this BZ and to track the RFE-1956.
Updated the relevant Solution: https://access.redhat.com/solutions/6540591