-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.20.0
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
see similar bug OCPBUGS-57585
checked in 4.20.0-0.nightly-2025-07-20-021531, openshift-image-registry image-registry-operator endpoint 60000 port exposed all the information without any authorization
should implement proper authentication
$ oc -n openshift-image-registry get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
cluster-image-registry-operator-54579d4646-xkm9l 1/1 Running 0 11h 10.129.0.22 ip-10-0-77-233.us-east-2.compute.internal <none> <none>
image-registry-85f57c5f66-7h9z2 1/1 Running 0 10h 10.128.2.22 ip-10-0-19-69.us-east-2.compute.internal <none> <none>
image-registry-85f57c5f66-zb9jh 1/1 Running 0 10h 10.129.2.9 ip-10-0-37-6.us-east-2.compute.internal <none> <none>
node-ca-29ctw 1/1 Running 0 11h 10.0.37.6 ip-10-0-37-6.us-east-2.compute.internal <none> <none>
node-ca-5hjfn 1/1 Running 0 11h 10.0.79.84 ip-10-0-79-84.us-east-2.compute.internal <none> <none>
node-ca-gln2q 1/1 Running 0 11h 10.0.43.21 ip-10-0-43-21.us-east-2.compute.internal <none> <none>
node-ca-hrhhx 1/1 Running 0 11h 10.0.19.69 ip-10-0-19-69.us-east-2.compute.internal <none> <none>
node-ca-lpw4h 1/1 Running 0 11h 10.0.25.174 ip-10-0-25-174.us-east-2.compute.internal <none> <none>
node-ca-zhdbs 1/1 Running 0 11h 10.0.77.233 ip-10-0-77-233.us-east-2.compute.internal <none> <none>
$ oc -n openshift-image-registry get ep
Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice
NAME ENDPOINTS AGE
image-registry 10.128.2.22:5000,10.129.2.9:5000 11h
image-registry-operator 10.129.0.22:60000 11h
$ oc -n openshift-image-registry exec cluster-image-registry-operator-54579d4646-xkm9l -- curl -k https://10.129.0.22:60000/metrics | head
# HELP image_registry_image_stream_tags_total Number of image stream tags. Source is either 'imported' or 'pushed'. 'location' label shows if the tag lives in one of the 'openshift' namespaces or 'other'
# TYPE image_registry_image_stream_tags_total gauge
image_registry_image_stream_tags_total{location="openshift",source="imported"} 295
image_registry_image_stream_tags_total{location="openshift",source="pushed"} 0
image_registry_image_stream_tags_total{location="other",source="imported"} 0
image_registry_image_stream_tags_total{location="other",source="pushed"} 0
# HELP image_registry_operator_image_pruner_install_status Installation status code related to the automatic image pruning feature. 0 = not installed, 1 = suspended, 2 = enabled
# TYPE image_registry_operator_image_pruner_install_status gauge
image_registry_operator_image_pruner_install_status 2
# HELP image_registry_operator_storage_reconfigured_total Total times the image registry's storage was reconfigured.
Version-Release number of selected component (if applicable):
$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.20.0-0.nightly-2025-07-20-021531 True False 11h Cluster version is 4.20.0-0.nightly-2025-07-20-021531
How reproducible:
always
Steps to Reproduce:
1. see descriptions
Actual results:
openshift-image-registry image-registry-operator endpoint 60000 port exposed all the information without any authorization
Expected results:
should be with authorization
Additional info:
the issue also exist in 4.19 and previous versions
When the bug is fixed, please remove it from this code snippet to avoid regression.
