Skip to content

Allowing external guest account to pull docker images from the registry

Moaz Khalifa requested to merge 383718-Container-registry-access-for-external-guest into master

What does this MR do and why?

Problem

External guest users cannot browse or pull images from the container registry in internal projects even if the container registry is enabled for everyone with access.

Solution

In this MR, the read_container_image ability is granted to the external guest users on non-private projects if the container registry is enabled for everyone with access.

How to set up and validate locally

  1. Use a project with the container registry enabled.
  2. Have at least one container available in the registry for the project or push an image to test with.
  3. Set project visibility to internal
  4. Set registry visibility to Everyone with access.
  5. Create a user with the account type external.
  6. Add the user to the project as a guest
  7. Impersonate or log in with the guest account and try to access the project's container registry.
  8. You can access the image in the project's container registry as an external guest.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #383718 (closed)

Edited by Moaz Khalifa

Merge request reports