Recently upgraded to 18.x, now all my runners fail with 'access denied'

I’m sure there is some kind of policy grant I need to apply somewhere, but I’ll be dipped if I can figure out what it is. My pipeline definition is here:

My runner config.toml:

The full error message is:

Running with gitlab-runner 18.1.0 (0731d300) on runner01 39a7f28b, system ID: s_e14c28698d48 Preparing the "docker" executor 00:04 Using Docker executor with image repo.mycorp.org:4567/fuzzy-infra/containertest/fuzzyhugo:latest ... Using effective pull policy of [always] for container repo.mycorp.org:4567/fuzzy-infra/containertest/fuzzyhugo:latest Authenticating with credentials from job payload (GitLab Registry) Pulling docker image repo.mycorp.org:4567/fuzzy-infra/containertest/fuzzyhugo:latest ...
Pulling docker image repo.mycorp.org:4567/fuzzy-infra/containertest/fuzzyhugo:latest ... WARNING: Failed to pull image with policy "always": Error response from daemon: pull access denied for repo.mycorp.org:4567/fuzzy-infra/containertest/fuzzyhugo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:238:1s)

ERROR: Job failed: failed to pull image "repo.mycorp.org:4567/fuzzy-infra/containertest/fuzzyhugo:latest" with specified policies [always]: Error response from daemon: pull access denied for repo.mycorp.org:4567/fuzzy-infra/containertest/fuzzyhugo, repository does not exist or may require 'docker login': denied: requested access to the resource is denied (manager.go:238:1s)

What am I missing?

We seem to have the same problem. Did you find out anything? When we downgrade the runner back to 17.x the problem still exists.

You have to give permission to the projects that use your custom docker images. So in the project you build your custom images, go to CI/CD Settings → Job token permissions and add ‘All projects in authentication log’

Ah hah, that did the trick! Thank you so much!

Was there some entry in the Changelog I missed?