Deploy token fails to pull image when a project is public and the Container Registry is set to "Only Project Members"
Reproduction steps: Set up a project with:
- Project visibility: Public
- Container registry: Only Project Members
Then under "Repository", create a Deploy Token with read_registry
scope access and add it as a secret to your Kubernetes cluster. Then try to use this secret with a deployment, etc.
Actual behaviour:
Failed to pull image "...": rpc error: code = Unknown desc = failed to pull and unpack image "...": failed to resolve reference "...": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed
and the pod remains in ImagePullBackOff
Expected behaviour: The image should pull successfully.
Workaround:
- Option 1: Changing the project visibility to Private makes image pulling work again (but this means the repository is then not public like you want).
- Option 2: Use a different token with registry access, such as a project access token or a personal access token (but be mindful of the security implications of personal access tokens!)
Affected version: 15.7.3
Edited by Hordur Freyr Yngvason