Allowing external guest account to pull docker images from the registry
What does this MR do and why?
Problem
External guest users cannot browse or pull images from the container registry in internal projects even if the container registry is enabled for everyone with access.
Solution
In this MR, the read_container_image
ability is granted to the external guest users on non-private projects if the container registry is enabled for everyone with access.
How to set up and validate locally
- Use a project with the container registry enabled.
- Have at least one container available in the registry for the project or push an image to test with.
- Set project visibility to
internal
- Set registry visibility to
Everyone with access
. -
Create a user with the account type
external
. - Add the user to the project as a
guest
- Impersonate or log in with the guest account and try to access the project's container registry.
- You can access the image in the project's container registry as an external guest.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #383718 (closed)
Edited by Moaz Khalifa