-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix Azure Container Registry anonymous repo image pull error #74715
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -206,6 +206,13 @@ func (a *acrProvider) Provide() credentialprovider.DockerConfig { | |
cfg[url] = *cred | ||
} | ||
} | ||
|
||
// add ACR anonymous repo support: use empty username and password for anonymous access | ||
cfg["*.azurecr.*"] = credentialprovider.DockerConfigEntry{ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What's the order of trying the matching? Will it always first try the empty user name one, or always the SP one? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @yuwaMSFT2 good question, now it's this order: ".azurecr.io", ".azurecr.*", which means use SP first, and then empty username/password, SP first should be the better choice in a long period. |
||
Username: "", | ||
Password: "", | ||
Email: dummyRegistryEmail, | ||
} | ||
return cfg | ||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What all does this match? does this match "foo.azurecr.bar.com" ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sivagms Yes, it match, but I think it does not matter since if user use private repo, suppose they should provide pull image secret by themselves.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That’s a bit scary. Some malicious user can just change the registry name in the chart to receive the AKS SP and password
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
currently the matching patterns are like following:
( *. azurecr.io, SP) ( *. azurecr.cn, SP) ( * . azurecr . * , empty password)
Per offline discussion, it's safe
Thanks for the good point!