Cannot pull container images from internal project container registry
### Summary
After upgrading from GitLab 18.10.2 to 18.11.0, CI/CD jobs can no longer pull container images from **internal** projects using `CI_JOB_TOKEN`, even when the source project's Container Registry visibility is set to **"Everyone with access"**. The setup worked correctly on 18.10.2 without any configuration changes.
### Steps to reproduce
1. Have two projects on a self-managed GitLab instance, one private (project A), second one set to internal (project B)
2. Project B has images in its Container Registry with visibility set to **Everyone with access**
3. Project A has a CI/CD job that pulls an image from Project B's registry using `CI_JOB_TOKEN`
4. Upgrade GitLab from 18.10 to 18.11
5. Run a pipeline in Project A
### What is the current *bug* behavior?
The CI job fails with:
```
ERROR: Job failed: failed to pull image "REMOVED" with specified policies [always]: Error response from daemon: pull access denied for REMOVED, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:238:0s)
```
### What is the expected *correct* behavior?
The CI job should be able to pull the image as it did in 18.10, without requiring any allowlist configuration, because:
- Source container image project is `internal`
- Container Registry visibility is set to `Everyone with access`
- The job token has the same permissions as the user who triggered the job
#### Results of GitLab environment info
<!-- Input any relevant GitLab environment information if needed. -->
<details>
<summary>Expand for output related to GitLab environment info</summary>
<pre>
System information
System: Ubuntu 24.04
Current User: git
Using RVM: no
Ruby Version: 3.3.10
Gem Version: 3.7.1
Bundler Version:2.7.1
Rake Version: 13.0.6
Redis Version: 7.2.11
Sidekiq Version:7.3.9
Go Version: unknown
GitLab information
Version: 18.11.0
Revision: e4bc34c0d7a
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 17.8
URL: https://MASKED
HTTP Clone URL: https://MASKED/some-group/some-project.git
SSH Clone URL: git@MASKED:some-group/some-project.git
Using LDAP: no
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.49.0
Repository storages:
- default: unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Gitaly
- default Address: unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version: 18.11.0
- default Git Version: 2.53.ge417bf2
</pre>
</details>
#### Results of GitLab application Check
<details>
<summary>Expand for output related to the GitLab application check</summary>
<pre>
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.49.0 ? ... OK (14.49.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes
Tables are truncated? ... skipped
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Cable config exists? ... yes
Resque config exists? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
4/28 ... yes
4/29 ... yes
4/30 ... yes
4/31 ... yes
4/32 ... yes
4/33 ... yes
4/34 ... yes
4/35 ... yes
4/36 ... yes
4/37 ... yes
4/38 ... yes
4/39 ... yes
4/40 ... yes
4/41 ... yes
4/42 ... yes
4/43 ... yes
4/44 ... yes
4/45 ... yes
4/46 ... yes
4/47 ... yes
4/48 ... yes
4/49 ... yes
4/50 ... yes
4/51 ... yes
4/52 ... yes
4/53 ... yes
4/54 ... yes
4/55 ... yes
4/56 ... yes
4/57 ... yes
4/59 ... yes
4/60 ... yes
4/61 ... yes
4/62 ... yes
4/63 ... yes
4/64 ... yes
4/65 ... yes
4/66 ... yes
4/67 ... yes
4/68 ... yes
4/69 ... yes
4/70 ... yes
4/71 ... yes
4/72 ... yes
4/73 ... yes
4/74 ... yes
4/75 ... yes
4/76 ... yes
4/77 ... yes
4/78 ... yes
4/79 ... yes
4/80 ... yes
4/81 ... yes
4/89 ... yes
4/90 ... yes
4/91 ... yes
4/92 ... yes
4/93 ... yes
4/94 ... yes
4/95 ... yes
4/96 ... yes
4/97 ... yes
4/98 ... yes
4/99 ... yes
4/100 ... yes
4/101 ... yes
4/102 ... yes
4/104 ... yes
4/105 ... yes
4/106 ... yes
4/107 ... yes
4/108 ... yes
4/109 ... yes
4/110 ... yes
4/111 ... yes
4/112 ... yes
12/113 ... yes
4/114 ... yes
4/115 ... yes
4/116 ... yes
4/117 ... yes
4/118 ... yes
4/119 ... yes
4/120 ... yes
4/121 ... yes
4/122 ... yes
4/123 ... yes
4/124 ... yes
4/125 ... yes
4/126 ... yes
4/127 ... yes
4/128 ... yes
4/129 ... yes
23/130 ... yes
4/131 ... yes
4/132 ... yes
4/133 ... yes
4/134 ... yes
4/136 ... yes
45/137 ... yes
4/138 ... yes
4/139 ... yes
4/140 ... yes
4/141 ... yes
4/142 ... yes
4/143 ... yes
4/144 ... yes
4/145 ... yes
4/146 ... yes
4/148 ... yes
45/149 ... yes
4/150 ... yes
12/151 ... yes
4/152 ... yes
4/153 ... yes
4/154 ... yes
4/155 ... yes
4/156 ... yes
4/157 ... yes
45/159 ... yes
4/161 ... yes
4/162 ... yes
4/163 ... yes
4/164 ... yes
4/165 ... yes
4/166 ... yes
4/167 ... yes
4/168 ... yes
45/169 ... yes
4/170 ... yes
4/171 ... yes
4/172 ... yes
4/173 ... yes
4/174 ... yes
4/175 ... yes
4/176 ... yes
4/177 ... yes
23/178 ... yes
4/180 ... yes
4/181 ... yes
23/183 ... yes
4/184 ... yes
4/185 ... yes
23/187 ... yes
4/188 ... yes
4/189 ... yes
4/190 ... yes
4/191 ... yes
4/192 ... yes
45/193 ... yes
4/194 ... yes
4/195 ... yes
4/196 ... yes
4/197 ... yes
4/199 ... yes
4/200 ... yes
4/201 ... yes
4/203 ... yes
81/205 ... yes
81/206 ... yes
81/207 ... yes
81/208 ... yes
4/209 ... yes
84/210 ... yes
81/211 ... yes
4/212 ... yes
4/213 ... yes
4/214 ... yes
4/215 ... yes
87/216 ... yes
87/217 ... yes
50/218 ... yes
4/219 ... yes
4/220 ... yes
4/221 ... yes
16/222 ... yes
4/223 ... yes
4/224 ... yes
91/225 ... yes
91/226 ... yes
91/227 ... yes
91/228 ... yes
92/229 ... yes
4/230 ... yes
84/231 ... yes
87/232 ... yes
45/233 ... yes
4/234 ... yes
4/235 ... yes
4/236 ... yes
81/237 ... yes
4/238 ... yes
4/239 ... yes
97/241 ... yes
98/242 ... yes
98/243 ... yes
98/244 ... yes
98/245 ... yes
98/246 ... yes
98/247 ... yes
98/248 ... yes
97/249 ... yes
97/250 ... yes
4/251 ... yes
4/252 ... yes
97/253 ... yes
97/254 ... yes
4/255 ... yes
4/256 ... yes
15/257 ... yes
4/258 ... yes
4/259 ... yes
50/261 ... yes
97/262 ... yes
4/263 ... yes
4/264 ... yes
4/265 ... yes
104/266 ... yes
104/267 ... yes
19/269 ... yes
4/270 ... yes
82/272 ... yes
4/273 ... yes
4/274 ... yes
97/275 ... yes
97/276 ... yes
4/277 ... yes
4/278 ... yes
110/279 ... yes
120/281 ... yes
120/282 ... yes
120/283 ... yes
120/284 ... yes
4/285 ... yes
123/286 ... yes
123/287 ... yes
4/288 ... yes
4/289 ... yes
1145/290 ... yes
125/291 ... yes
126/293 ... yes
4/294 ... yes
125/295 ... yes
125/296 ... yes
4/297 ... yes
4/298 ... yes
4/299 ... yes
129/300 ... yes
4/301 ... yes
4/303 ... yes
4/304 ... yes
82/305 ... yes
4/306 ... yes
125/307 ... yes
132/308 ... yes
129/309 ... yes
129/310 ... yes
4/311 ... yes
129/312 ... yes
4/313 ... yes
129/314 ... yes
4/315 ... yes
129/316 ... yes
125/317 ... yes
133/318 ... yes
75/320 ... yes
560/322 ... yes
125/323 ... yes
4/325 ... yes
133/326 ... yes
125/327 ... yes
4/328 ... yes
125/331 ... yes
129/332 ... yes
125/333 ... yes
125/334 ... yes
4/335 ... yes
125/336 ... yes
81/338 ... yes
4/340 ... yes
4/341 ... yes
135/343 ... yes
4/344 ... yes
140/345 ... yes
142/347 ... yes
4/348 ... yes
140/349 ... yes
135/350 ... yes
4/351 ... yes
4/352 ... yes
123/353 ... yes
148/354 ... yes
4/355 ... yes
148/357 ... yes
140/358 ... yes
148/360 ... yes
139/361 ... yes
719/362 ... yes
123/363 ... yes
123/364 ... yes
123/365 ... yes
4/367 ... yes
148/368 ... yes
142/369 ... yes
1145/370 ... yes
140/371 ... yes
47/372 ... yes
135/373 ... yes
142/374 ... yes
140/375 ... yes
135/376 ... yes
75/377 ... yes
719/378 ... yes
719/379 ... yes
165/380 ... yes
165/381 ... yes
125/384 ... yes
125/385 ... yes
125/386 ... yes
125/387 ... yes
719/388 ... yes
125/389 ... yes
550/390 ... yes
506/391 ... yes
508/392 ... yes
508/393 ... yes
506/395 ... yes
506/396 ... yes
515/397 ... yes
4/398 ... yes
518/399 ... yes
135/400 ... yes
135/401 ... yes
526/403 ... yes
506/404 ... yes
550/405 ... yes
142/406 ... yes
125/407 ... yes
544/408 ... yes
544/409 ... yes
544/410 ... yes
544/411 ... yes
544/412 ... yes
544/413 ... yes
4/414 ... yes
125/415 ... yes
560/416 ... yes
544/417 ... yes
557/418 ... yes
557/419 ... yes
561/420 ... yes
561/421 ... yes
557/423 ... yes
719/424 ... yes
125/426 ... yes
125/427 ... yes
573/428 ... yes
573/429 ... yes
576/430 ... yes
576/431 ... yes
576/432 ... yes
581/433 ... yes
581/434 ... yes
586/436 ... yes
125/437 ... yes
590/438 ... yes
600/439 ... yes
586/440 ... yes
595/441 ... yes
595/442 ... yes
595/443 ... yes
595/444 ... yes
600/445 ... yes
595/446 ... yes
600/447 ... yes
600/448 ... yes
125/449 ... yes
600/450 ... yes
125/451 ... yes
557/452 ... yes
550/454 ... yes
142/455 ... yes
594/456 ... yes
617/458 ... yes
557/459 ... yes
550/461 ... yes
600/462 ... yes
125/464 ... yes
550/465 ... yes
590/466 ... yes
594/467 ... yes
142/468 ... yes
81/469 ... yes
4/470 ... yes
550/472 ... yes
550/473 ... yes
557/474 ... yes
557/475 ... yes
550/476 ... yes
148/477 ... yes
506/479 ... yes
716/480 ... yes
142/496 ... yes
4/507 ... yes
550/508 ... yes
550/510 ... yes
586/525 ... yes
557/526 ... yes
544/527 ... yes
557/533 ... yes
716/542 ... yes
719/544 ... yes
719/546 ... yes
550/547 ... yes
550/548 ... yes
550/549 ... yes
140/557 ... yes
125/558 ... yes
586/560 ... yes
716/561 ... yes
140/562 ... yes
594/563 ... yes
749/566 ... yes
749/581 ... yes
749/582 ... yes
719/583 ... yes
557/584 ... yes
550/585 ... yes
736/586 ... yes
736/587 ... yes
140/592 ... yes
140/593 ... yes
800/610 ... yes
800/611 ... yes
4/612 ... yes
148/613 ... yes
148/614 ... yes
800/615 ... yes
808/616 ... yes
800/617 ... yes
808/618 ... yes
4/620 ... yes
4/621 ... yes
800/622 ... yes
104/623 ... yes
817/624 ... yes
557/625 ... yes
716/626 ... yes
823/627 ... yes
716/628 ... yes
716/629 ... yes
716/630 ... yes
827/631 ... yes
125/635 ... yes
602/636 ... yes
723/637 ... yes
834/640 ... yes
827/644 ... yes
827/645 ... yes
140/646 ... yes
800/647 ... yes
4/648 ... yes
847/649 ... yes
557/652 ... yes
834/656 ... yes
550/657 ... yes
148/658 ... yes
125/660 ... yes
834/661 ... yes
808/663 ... yes
864/664 ... yes
808/665 ... yes
808/666 ... yes
808/667 ... yes
808/668 ... yes
877/670 ... yes
723/671 ... yes
880/672 ... yes
882/676 ... yes
882/678 ... yes
882/679 ... yes
125/680 ... yes
723/683 ... yes
834/684 ... yes
871/685 ... yes
602/686 ... yes
602/687 ... yes
902/688 ... yes
140/689 ... yes
140/690 ... yes
135/691 ... yes
907/692 ... yes
716/693 ... yes
716/694 ... yes
716/695 ... yes
586/696 ... yes
880/700 ... yes
880/701 ... yes
104/702 ... yes
515/703 ... yes
140/704 ... yes
142/705 ... yes
140/706 ... yes
140/707 ... yes
880/708 ... yes
716/709 ... yes
716/710 ... yes
140/711 ... yes
135/712 ... yes
148/713 ... yes
864/714 ... yes
938/715 ... yes
748/716 ... yes
650/726 ... yes
650/727 ... yes
952/728 ... yes
557/735 ... yes
952/738 ... yes
952/739 ... yes
880/740 ... yes
969/741 ... yes
716/742 ... yes
550/744 ... yes
140/745 ... yes
550/746 ... yes
650/750 ... yes
650/751 ... yes
982/752 ... yes
982/753 ... yes
982/754 ... yes
557/755 ... yes
990/756 ... yes
125/761 ... yes
1002/766 ... yes
1002/767 ... yes
1002/768 ... yes
1002/769 ... yes
1002/770 ... yes
142/771 ... yes
723/772 ... yes
4/773 ... yes
1013/774 ... yes
594/775 ... yes
557/776 ... yes
864/777 ... yes
4/778 ... yes
1022/779 ... yes
140/780 ... yes
140/781 ... yes
557/782 ... yes
1030/783 ... yes
135/784 ... yes
104/785 ... yes
748/786 ... yes
594/787 ... yes
1030/803 ... yes
1030/804 ... yes
140/805 ... yes
1013/806 ... yes
1013/807 ... yes
1013/808 ... yes
1061/809 ... yes
586/810 ... yes
15/811 ... yes
4/812 ... yes
1002/813 ... yes
557/814 ... yes
594/815 ... yes
544/816 ... yes
557/817 ... yes
900/818 ... yes
650/819 ... yes
1082/820 ... yes
1082/821 ... yes
1085/822 ... yes
550/823 ... yes
557/824 ... yes
1030/825 ... yes
1061/826 ... yes
650/830 ... yes
650/831 ... yes
743/832 ... yes
650/833 ... yes
650/834 ... yes
557/835 ... yes
1100/836 ... yes
1013/837 ... yes
125/838 ... yes
716/839 ... yes
142/840 ... yes
1002/841 ... yes
1107/842 ... yes
748/843 ... yes
1002/844 ... yes
557/845 ... yes
1030/847 ... yes
140/848 ... yes
586/849 ... yes
1061/850 ... yes
716/851 ... yes
716/852 ... yes
1127/853 ... yes
1127/854 ... yes
125/855 ... yes
1107/856 ... yes
140/857 ... yes
1107/858 ... yes
594/859 ... yes
125/860 ... yes
1145/861 ... yes
140/862 ... yes
148/863 ... yes
982/864 ... yes
1151/865 ... yes
1151/866 ... yes
1151/867 ... yes
19/868 ... yes
81/869 ... yes
716/870 ... yes
748/872 ... yes
1100/874 ... yes
1162/875 ... yes
1162/876 ... yes
1013/877 ... yes
1166/878 ... yes
594/879 ... yes
748/880 ... yes
140/881 ... yes
586/883 ... yes
594/884 ... yes
142/885 ... yes
1166/890 ... yes
594/892 ... yes
140/893 ... yes
142/894 ... yes
1166/895 ... yes
1166/896 ... yes
1192/897 ... yes
1192/898 ... yes
1195/899 ... yes
586/900 ... yes
125/901 ... yes
1126/902 ... yes
1200/903 ... yes
1166/904 ... yes
1100/905 ... yes
1100/906 ... yes
594/907 ... yes
140/908 ... yes
81/909 ... yes
1013/912 ... yes
135/913 ... yes
1221/914 ... yes
557/915 ... yes
550/916 ... yes
550/917 ... yes
1166/918 ... yes
550/919 ... yes
871/920 ... yes
1230/921 ... yes
142/922 ... yes
140/923 ... yes
1100/924 ... yes
125/925 ... yes
1230/926 ... yes
1230/927 ... yes
125/928 ... yes
1241/929 ... yes
1230/930 ... yes
140/931 ... yes
125/932 ... yes
1250/934 ... yes
1250/935 ... yes
1100/936 ... yes
1241/937 ... yes
1013/938 ... yes
140/939 ... yes
140/940 ... yes
140/941 ... yes
1260/943 ... yes
130/944 ... yes
140/945 ... yes
1265/946 ... yes
1265/947 ... yes
557/948 ... yes
1269/949 ... yes
1272/950 ... yes
1272/951 ... yes
140/952 ... yes
1276/953 ... yes
557/954 ... yes
142/955 ... yes
748/956 ... yes
1282/957 ... yes
1282/958 ... yes
1285/959 ... yes
1285/960 ... yes
1282/961 ... yes
1282/962 ... yes
Redis version >= 6.2.14? ... yes
Ruby version >= 3.0.6 ? ... yes (3.3.10)
Git user has default SSH configuration? ... yes
Active users: ... 72
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
</pre>
</details>
### Possible fixes
Manually add the pulling project to the **CI/CD job token allowlist** of the source project:
**Via UI:** Settings → CI/CD → Job token permissions → add Project A to the allowlist
This appears to be a regression introduced by MR !229560 **"Use prevent_all for job token scope"** (merged ~2026-03-30), which was permanently enabled in 18.11 via the cleanup of feature flag `use_prevent_all_for_job_token_scope` (MR !230399).
The MR replaced the old **deny-list** model for job token scope with a **`prevent_all` + explicit exceptions** (allow-list) model. The stated intent was functional equivalence, but in practice, pulling images from an out-of-scope `internal` project's Container Registry (with `Everyone with access` visibility) stopped working. It appears that `read_container_images` (or the equivalent registry pull permission) for out-of-scope job tokens accessing `internal` projects was not included in the exceptions list.
<!-- If you don't have /label privileges, follow up with an issue comment of `@gitlab-bot label ~"type::bug"` -->
issue