Source IP Preservation for Private Connections to IBM Cloud Container Registry

1 min read

Beginning 23 May 2022, when connections are made to IBM Cloud Container Registry, the real source IP of the request will be used.

Previously, when connections came in over private networks, the source IP addresses that you saw in IBM Cloud Activity Tracker and that were configured for IAM restricted IP address lists were documented Container Registry IP addresses.

How you benefit from this change

This change increases security for any IBM Cloud Container Registry users that use private connections and IAM restricted IP address lists. You must now configure the restricted IP address list to allow the private subnet/IPs of your own host, which means that you can ensure Container Registry OAuth requests only originate from hosts that you own.

Users of Activity Tracker will also be able to see the true source IP address in any audit logs (where currently, they would see a private Container Registry-owned IP).

Understanding if you are impacted

You are accessing Container Registry over the private network if one of the following statements is true:

  • You're using one of the private.* domains (e.g., private.us.icr.io.).
  • You're using an IBM Cloud Kubernetes Service cluster in a configuration that automatically talks to the registry over a private connection.
  • You’re accessing Container Registry through a virtual private cloud (VPC) Virtual Private Endpoint Gateway (VPE Gateway).

What actions do you need to take?

By 23 May 2022, if you access Container Registry over the private network and maintain a list of restricted IP addresses in IAM, you must update your IAM restricted IP address list to include any IP addresses or subnets of hosts in your account that make requests to Container Registry, in addition to the current Container Registry private IP addresses. After 26 May 2022, you can remove the existing Container Registry private IP addresses from your restricted IP list.

For more information about connecting to Container Registry over the private network, see Securing your connection to Container Registry.

Be the first to hear about news, product updates, and innovation from IBM Cloud