search

k3s-io / k3s

Lightweight Kubernetes
https://k3s.io
Apache License 2.0
28.16k stars 2.35k forks source link

Wildcard Configuration in registries.yaml Partially Fails to Authenticate #11352

Closed kingsd041 closed 4 days ago

kingsd041 commented 4 days ago

Environmental Info: K3s Version: v1.30.6+k3s1

Node(s) CPU architecture, OS, and Version: 22.04.4

Cluster Configuration:

1 server Describe the bug:

When configuring the registries.yaml file to use a wildcard (*) for both mirrors and configs, K3s fails to pull images from the private Harbor registry that requires authentication.

Using specific configurations works as expected. However, the behavior with wildcards is inconsistent.

Steps To Reproduce:

  1. Configure a private Harbor registry (e.g., public.kingsd.top) that requires authentication for image pulls.
    Example image: public.kingsd.top/demo/nginx:1.27

  2. Configure /etc/rancher/k3s/registries.yaml as follows:

Scenario A (Wildcard for Both Mirrors and Configs)

mirrors:
  "*":
    endpoint:
      - "https://public.kingsd.top/"
configs:
  "*":
    auth:
      username: admin
      password: Harbor12345

Result:
Pulling the image fails with the error: 

E1122 16:17:44.861707  235120 remote_image.go:180] "PullImage from image service failed" err="rpc error: code = Unknown desc = failed to pull and unpack image \"public.kingsd.top/demo/nginx:1.27\": failed to resolve reference \"public.kingsd.top/demo/nginx:1.27\": pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials" image="public.kingsd.top/demo/nginx:1.27"
FATA[0000] pulling image: failed to pull and unpack image "public.kingsd.top/demo/nginx:1.27": failed to resolve reference "public.kingsd.top/demo/nginx:1.27": pull access denied, repository does not exist or may require authorization: authorization failed: no basic auth credentials

Scenario B (Specific Mirror, Wildcard Config)

mirrors:
  "public.kingsd.top":
    endpoint:
      - "https://public.kingsd.top/"
configs:
  "*":
    auth:
      username: admin
      password: Harbor12345

Result:
Pulling the image fails with the same error as Scenario A.

Scenario C (Wildcard Mirror, Specific Config)

mirrors:
  "*":
    endpoint:
      - "https://public.kingsd.top/"
configs:
  "public.kingsd.top":
    auth:
      username: admin
      password: Harbor12345

Result:
Image pull succeeds.

systemctl restart k3s

Attempt to pull the image: 

root@demo-k3s:~# crictl pull public.kingsd.top/demo/nginx:1.27
Image is up to date for sha256:5ef79149e0ec84a7a9f9284c3f91aa3c20608f8391f5445eabe92ef07dbda03c

Expected behavior:

Wildcard configurations for both mirrors and configs should work consistently and allow pulling images when proper authentication is provided.
The documentation mentions wildcard support but does not specify limitations related to this case.

Relevant doc link: Private Registry - Wildcard Support

Actual behavior:

Additional context / logs:

brandond commented 4 days ago

We can update the docs, but it is not intended that credentials would be looked up from the wildcard section. If this was done, then an attacker could compromise your credentials by deploying a pod that used an image that came from their registry, and then stealing the credentials when containerd connected and authenticated to pull the image.