From e64b0116cfae2a6bb6eee0c69b569e94f0b81600 Mon Sep 17 00:00:00 2001 From: Steve Azzopardi Date: Tue, 6 Nov 2018 13:24:11 +0100 Subject: Emphasis the importance of auth registry The container registry requires the `auth` config to be set up properly or users will be able to download images that they are not authorized to do so. For example https://gitlab.com/gitlab-org/gitlab-runner/issues/3652 --- doc/administration/container_registry.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/administration/container_registry.md b/doc/administration/container_registry.md index 890b780fe80..cfe7b0e05e3 100644 --- a/doc/administration/container_registry.md +++ b/doc/administration/container_registry.md @@ -71,7 +71,7 @@ A Registry init file is not shipped with GitLab if you install it from source. Hence, [restarting GitLab][restart gitlab] will not restart the Registry should you modify its settings. Read the upstream documentation on how to achieve that. -At the absolute minimum, make sure your [Registry configuration][registry-auth] +At the **absolute** minimum, make sure your [Registry configuration][registry-auth] has `container_registry` as the service and `https://gitlab.example.com/jwt/auth` as the realm: @@ -84,6 +84,9 @@ auth: rootcertbundle: /root/certs/certbundle ``` +CAUTION: **Caution:** +If `auth` is not set up, users will be able to pull docker images without authentication. + ## Container Registry domain configuration There are two ways you can configure the Registry's external domain. -- cgit v1.2.1