Can't push or pull to registry

Summary

Error when trying to pull or push from registry using project access token or personal access token.

Steps to reproduce

k8s@master-node:~$ docker login registry.MySite.com
Username: k8s
Password:
WARNING! Your password will be stored unencrypted in /home/k8s/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded
k8s@master-node:~$ docker pull Registry.MySite.com/v2/group/group/project/build:latest
Error response from daemon: Get https://Registry.MySite.com/v2/group/group/project/build/manifests/latest: denied: access forbidden
k8s@master-node:~$ docker push Registry.MySite.com/group/group/project/build:test
The push refers to repository [Registry.MySite.com/group/group/project/build]
fd1ee66b9061: Preparing
0d26c19ac5ee: Preparing
2042670800fe: Preparing
33e08d3a058c: Preparing
97d57a09e1fe: Preparing
7c994156cf98: Waiting
26e4b74318a7: Waiting
3740dcce90ca: Waiting
50644c29ef5a: Waiting
denied: access forbidden
k8s@master-node:~$

Example Project

n/a

What is the current bug behavior?

denied: access forbidden

What is the expected correct behavior?

That is gives me access

Howerver this works correctly using CI from my dind worker

$ docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
Login Succeeded
.
.
.
$ docker push $CI_REGISTRY/group/group/project/build:latest
The push refers to repository [Registry.MySite.com/group/group/project/build]
c5977e2dd543: Preparing
2e5ef0da4c8e: Preparing
cb9c9960b86e: Preparing
7ad9cba4fe41: Preparing
ada273a98080: Preparing
e5367b78c3d7: Preparing
26e4b74318a7: Preparing
3740dcce90ca: Preparing
50644c29ef5a: Preparing
26e4b74318a7: Waiting
3740dcce90ca: Waiting
50644c29ef5a: Waiting
e5367b78c3d7: Waiting
c5977e2dd543: Layer already exists
ada273a98080: Layer already exists
7ad9cba4fe41: Layer already exists
cb9c9960b86e: Layer already exists
2e5ef0da4c8e: Layer already exists
e5367b78c3d7: Layer already exists
26e4b74318a7: Layer already exists
3740dcce90ca: Layer already exists
50644c29ef5a: Layer already exists
latest: digest: sha256:23d635b4340a51c31dd9bd421602f158035275f407e760f39e9b354b5c2f82e3 size: 2209
Job succeeded

Relevant logs and/or screenshots

Output of checks

n/a

Results of GitLab environment info

Expand for output related to GitLab environment info

System information
System:         Ubuntu 16.04
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   2.6.6p146
Gem Version:    2.7.10
Bundler Version:1.17.3
Rake Version:   12.3.3
Redis Version:  5.0.9
Git Version:    2.28.0
Sidekiq Version:5.2.9
Go Version:     unknown

GitLab information
Version:        13.4.0-ee
Revision:       e70802d39ca
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     11.7
URL:            https://GitLab.MySite.com
HTTP Clone URL: https://GitLab.MySite.com/some-group/some-project.git
SSH Clone URL:  git@GitLab.MySite.com:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        13.7.0
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.7.0 ? ... OK (13.7.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
3/2 ... yes
4/3 ... yes
3/5 ... yes
4/6 ... yes
3/7 ... yes
4/8 ... yes
8/9 ... yes
3/10 ... yes
3/11 ... yes
3/12 ... yes
4/13 ... yes
24/14 ... yes
4/15 ... yes
24/16 ... yes
31/17 ... yes
2/18 ... yes
25/19 ... yes
24/20 ... yes
31/21 ... yes
3/22 ... yes
4/23 ... yes
4/24 ... yes
4/25 ... yes
8/26 ... yes
31/27 ... yes
4/28 ... yes
4/29 ... yes
25/30 ... yes
4/31 ... yes
4/32 ... yes
4/33 ... yes
31/34 ... yes
2/35 ... yes
8/36 ... yes
4/37 ... yes
3/38 ... yes
Redis version >= 4.0.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.6.6)
Git version >= 2.24.0 ? ... yes (2.28.0)
Git user has default SSH configuration? ... yes
Active users: ... 19
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 6.x - 7.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished

Possible fixes