Beginning 23 June 2022, when connections are made to IBM Cloud Container Registry, the real source IP of the request will be used.
Previously, when connections came in over private networks, the source IP addresses that you saw in IBM Cloud Activity Tracker and that were configured for IAM restricted IP address lists were documented Container Registry IP addresses. This change also affects you if you have allowlists or a firewall rule.
As of 23 June 2022, only the br-sao
and ca-tor
regions changed. Changes to the other regions are delayed.
How you benefit from this change
This change increases security for any IBM Cloud Container Registry users that use private connections and IAM restricted IP address lists. You must now configure the restricted IP address list to allow the private subnet/IPs of your own host, which means that you can ensure Container Registry OAuth requests only originate from hosts that you own.
Users of Activity Tracker will also be able to see the true source IP address in any audit logs (where currently, they would see a private Container Registry-owned IP).
Understanding if you are impacted
You are accessing Container Registry over the private network if one of the following statements is true:
- You’re using one of the
private.*
domains (e.g.,private.us.icr.io
.). - You’re using an IBM Cloud Kubernetes Service cluster in a configuration that automatically talks to the registry over a private connection.
- You’re accessing Container Registry through a virtual private cloud (VPC) Virtual Private Endpoint Gateway (VPE Gateway).
- You’re using the Container Registry private IP addresses for configuring network access; for example, in firewalls or Access Control Lists (ACLs).
If any of the previous statements are true when this change takes effect, the IP addresses in the IBM Cloud Activity Tracker logs change, but you don’t need to do anything unless you are also using IAM IP address access restrictions.
If you use Calico, the samples are updated to take account of the change.
What actions do you need to take?
By 23 June 2022, if you access Container Registry over the private network and maintain a list of restricted IP addresses in IAM, you must update your IAM restricted IP address list to include any IP addresses or subnets of hosts in your account that make requests to Container Registry, in addition to the current Container Registry private IP addresses.
See the docs for more info: “Update IAM restricted IP address lists by 23 June 2022.”
For more information about connecting to Container Registry over the private network, see Securing your connection to Container Registry.