April 7, 2022 By Ethan Long 2 min read

Beginning 23 June 2022, when connections are made to IBM Cloud Container Registry, the real source IP of the request will be used.

Previously, when connections came in over private networks, the source IP addresses that you saw in IBM Cloud Activity Tracker and that were configured for IAM restricted IP address lists were documented Container Registry IP addresses. This change also affects you if you have allowlists or a firewall rule.

As of 23 June 2022, only the br-sao and ca-tor regions changed. Changes to the other regions are delayed.

How you benefit from this change

This change increases security for any IBM Cloud Container Registry users that use private connections and IAM restricted IP address lists. You must now configure the restricted IP address list to allow the private subnet/IPs of your own host, which means that you can ensure Container Registry OAuth requests only originate from hosts that you own.

Users of Activity Tracker will also be able to see the true source IP address in any audit logs (where currently, they would see a private Container Registry-owned IP).

Understanding if you are impacted

You are accessing Container Registry over the private network if one of the following statements is true:

  • You’re using one of the private.* domains (e.g., private.us.icr.io.).
  • You’re using an IBM Cloud Kubernetes Service cluster in a configuration that automatically talks to the registry over a private connection.
  • You’re accessing Container Registry through a virtual private cloud (VPC) Virtual Private Endpoint Gateway (VPE Gateway).
  • You’re using the Container Registry private IP addresses for configuring network access; for example, in firewalls or Access Control Lists (ACLs).

If any of the previous statements are true when this change takes effect, the IP addresses in the IBM Cloud Activity Tracker logs change, but you don’t need to do anything unless you are also using IAM IP address access restrictions.

If you use Calico, the samples are updated to take account of the change.

What actions do you need to take?

By 23 June 2022, if you access Container Registry over the private network and maintain a list of restricted IP addresses in IAM, you must update your IAM restricted IP address list to include any IP addresses or subnets of hosts in your account that make requests to Container Registry, in addition to the current Container Registry private IP addresses.

See the docs for more info: “Update IAM restricted IP address lists by 23 June 2022.”

For more information about connecting to Container Registry over the private network, see Securing your connection to Container Registry.

More from Announcements

Probable Root Cause: Accelerating incident remediation with causal AI 

5 min read - It has been proven time and time again that a business application’s outages are very costly. The estimated cost of an average downtime can run USD 50,000 to 500,000 per hour, and more as businesses are actively moving to digitization. The complexity of applications is growing as well, so Site Reliability Engineers (SREs) require hours—and sometimes days—to identify and resolve problems.   To alleviate this problem, we have introduced the new feature Probable Root Cause as part of Intelligent Incident…

Reflecting on IBM’s legacy of environmental innovation and leadership

4 min read - Upholding a legacy of more than 50 years of environmental responsibility through our company’s actions and commitments, IBM continues to be a leader in driving sustainability for our business, our communities and our clients—including a 34-year history of annual, public environmental reporting, which we continue today. As a hybrid cloud and artificial intelligence (AI) company, we believe that leveraging technology is key to unlocking impact, and it will play a substantial role in how society addresses, adapts to, and overcomes…

Fostering a more ethical future by leveraging technology 

3 min read - The introduction of generative AI (gen AI) has quickly raised new questions and challenges across the global marketplace. At IBM, our principles of trust and transparency serve as a foundation to help our clients address these challenges head-on, and through our work with policymakers, researchers, clients and other stakeholders, we continue to meet these challenges and develop technological and policy safeguards.  We are working hard to set an example of how to implement and maintain responsible technology, as we have…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters