Is any user able to pull any container registry image?

In GitLab CI, any user is able to use any container registry image of any project.

However, according to Permissions and roles | GitLab, the action “Pull container images from private projects” can be performed by developers, maintainers and administrators “if the triggering user is a member of the project.”

Given that:

  • Project A is private
  • I am not a member of project A
  • I pull project A’s image in the CI pipeline of project B

… I would expect an error. However, the CI pipeline of project B successfully uses the image of project A. I tried placing projects A and B in different groups, which does not help.

Am I misinterpreting the documentation?

1 Like

I found the answer already:

These articles are in the ‘Runners’ section. It would be useful to refer to them in the ‘GitLab Container Registry’ section, as it took a while to find them.

1 Like

This post was flagged by the community and is temporarily hidden.

@wedwards, thank you for your suggestion to improve our docs!

And also thank you for answering your own question! It is always appreciated, in case other users come across the same situation. Obligatory xkcd.

I have created an MR to link to When not to use the if-not-present pull policy from:

  1. Note number 2 in Job permissions
  2. View the container registry

Do you think these changes would have allowed you to find your answer sooner?

Do you think these changes would have allowed you to find your answer sooner?

I do!