Container Registry private IP addresses changed on 5 July 2022

By 23 June 2022, if you connect to IBM Cloud® Container Registry over the private network and you use Cloud Identity and Access Management (IAM) restricted IP address lists, you must change your IAM restricted IP list. This change also affects you if you have allowlists or a firewall rule.

On 23 June 2022, only the br-sao and ca-tor regions changed. The remaining regions changed on 5 July 2022. This change was originally due to take place on 23 May 2022 but was delayed.

What you need to know about this change

From 5 July 2022 (23 June 2022 for the br-sao and ca-tor regions), when connections are made to IBM Cloud Container Registry, the real source IP of the request is used. Previously, when connections came in over private networks, the source IP addresses that you saw in IBM Cloud Activity Tracker and that were configured for IAM restricted IP address lists were documented Container Registry IP addresses.

This change improves the security of IBM Cloud Container Registry. With this change, you can configure real, account specific, private client IP addresses in IAM restricted IP lists, instead of the documented list of shared IP addresses. You must now allow private subnet and IP addresses of your own hosts (for example, worker nodes in a classic IBM Cloud Kubernetes Service cluster or the egress IP of a VPC network).

Also, as part of this change, the IBM Cloud Container Registry service private IP addressees changed, which might require updates to your firewall configuration.

If you use Calico, the samples are updated to take account of the change.

You must not remove the IBM Cloud Container Registry private IP addresses from your IAM restricted IP list until an announcement advises you to do so.

You must take the appropriate actions before this change happens on 23 June 2022, otherwise your requests to Container Registry might fail to be authorized.

How you benefit from this change

This change increases security for any IBM Cloud Container Registry users that use private connections and IAM restricted IP address lists. After the change, you must configure the restricted IP address list to allow the private subnet and IP addresses of your own host. This change means that you can ensure Container Registry OAuth requests originate only from hosts that you own.

If you use IBM Cloud Activity Tracker, you can see the true source IP address in any audit logs, where previously you saw a Container Registry owned IP that was private.

Understanding if you are impacted by this change

You are impacted if you are accessing Container Registry over the private network.

You are accessing Container Registry over the private network if one of the following statements is true:

You're using one of the private.* domains, for example, private.us.icr.io.
You're using an IBM Cloud Kubernetes Service cluster in a configuration that automatically talks to the registry over a private connection.
You're accessing Container Registry through a virtual private cloud (VPC) virtual private endpoint gateway (VPE gateway).
You're using the Container Registry private IP addresses for configuring network access, for example, in firewalls or Access Control Lists (ACL).

If any of the previous statements is true when this change takes effect, the IP addresses in the IBM Cloud Activity Tracker logs change, but you don't need to do anything unless you are also using IAM IP address access restrictions.

What actions you need to take

You must take the appropriate actions before 23 June 2022. If you don’t make the appropriate updates, your requests to push and pull from Container Registry might fail.

Depending on which of the following scenarios you fit, take the appropriate action.

You access Container Registry over the private network and maintain a list of restricted IP addresses in IAM.: You must update your IAM restricted IP address list to include any IP addresses or subnets of hosts in your account that make requests to Container Registry. You must keep the current Container Registry private IP addresses in your restricted IP list until an announcement indicates it is safe to remove them. For more information about how to update a restricted IP address list, see Allowing specific IP addresses in the Cloud Identity and Access Management (IAM) documentation.
Your firewalls are configured with the Container Registry private IP addresses.: You must include the new private IP addresses in your firewall configuration. For more information about connecting to Container Registry over the private network, see Securing your connection to Container Registry.

For more information about the new and current Container Registry private IP addresses, see the following topics:

For IBM Cloud Kubernetes Service, see Permit worker nodes to communicate with IBM Cloud Container Registry.
For Red Hat® OpenShift® on IBM Cloud®, see Permit worker nodes to communicate with IBM Cloud Container Registry.