Is any user able to pull any container registry image?

wedwards · November 19, 2022, 8:33pm

In GitLab CI, any user is able to use any container registry image of any project.

However, according to Permissions and roles | GitLab, the action “Pull container images from private projects” can be performed by developers, maintainers and administrators “if the triggering user is a member of the project.”

Given that:

Project A is private
I am not a member of project A
I pull project A’s image in the CI pipeline of project B

… I would expect an error. However, the CI pipeline of project B successfully uses the image of project A. I tried placing projects A and B in different groups, which does not help.

Am I misinterpreting the documentation?

wedwards · November 19, 2022, 9:25pm

I found the answer already:

These articles are in the ‘Runners’ section. It would be useful to refer to them in the ‘GitLab Container Registry’ section, as it took a while to find them.

thiagocsf · November 24, 2022, 9:03pm

@wedwards, thank you for your suggestion to improve our docs!

And also thank you for answering your own question! It is always appreciated, in case other users come across the same situation. Obligatory xkcd.

I have created an MR to link to When not to use the if-not-present pull policy from:

Note number 2 in Job permissions
View the container registry

Do you think these changes would have allowed you to find your answer sooner?

wedwards · November 25, 2022, 9:48pm

Do you think these changes would have allowed you to find your answer sooner?

I do!