Using Personal Access tokens to access Container Registry is an insecure approach to pull images down to a team's cluster.

Reposting from here as a new issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/19219#note_38448358

Using personal access tokens isn't good enough. It doesn't grant access per repository, it grants anybody with the token access to every image across any repository I can read from.

I have my personal private repositories, alongside team private repositories. If I use one of these tokens in order to grant read repository access to kubernetes, the cluster can pull down any image I have. All you have to do is change the image url.

I think it's a fair concern, as I don't want the team to have all my personal projects at their fingertips.

Also, for anybody struggling with creating the secret, you only need the auth key.

kind: Secret
apiVersion: v1
type: kubernetes.io/dockercfg
metadata:
  name: your-secret-name
data:
  .dockercfg: base64xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=
  # decoded value
  # {"registry.gitlab.com":{"auth":"your-token-found-in-your-docker-config.json"}}
  
  # # steps to create base64 value:
  # 1. docker login registry.gitlab.com
  # 2. cat ~/.docker/config.json # and copy the token for gitlab
  # 3. echo -n '{"registry.gitlab.com":{"auth":"your-token-found-in-your-docker-config.json"}}' |  base64 -w0
  # 4. paste base64 into the .dockercfg field like above
  # 5. kubectl apply -f this-file-secret.yaml

Edited Dec 08, 2017 by Daniel Sont