Yeah, we should probably do a sanity check for URL parameters. Help wanted!

@sharifelgamal I've been looking at a validation function. Are these all the supported formats for the registry or am I missing something?

addresses := []string{"10.0.0.1/24", "example.com", "localhost:5000", "localhost", "127.0.0.1", "www.example.com"}

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@kadern0 - I did some digging and discovered that we pass the value directly to dockerd's --insecure-registry flag. Here's the documentation: https://docs.docker.com/engine/reference/commandline/dockerd/#insecure-registries

In order to communicate with an insecure registry, the Docker daemon requires --insecure-registry in one of the following
two forms:

--insecure-registry myregistry:5000 tells the Docker daemon that myregistry:5000 should be considered insecure.
--insecure-registry 10.1.0.0/16 tells the Docker daemon that all registries whose domain resolve to an IP address is part of > the subnet described by the CIDR syntax, should be considered insecure.

That suggests to me that the only valid forms should be:

• <ip>:<port>
• <hostname>:<port>
• <network>/<netmask> (CIDR)

I can confirm that this bug still occurs at master. Honestly, you could probably solve 95% of issues by providing a regular expression that asserts that the value contains only alphanumerics, slashes, colons, dashes, square brackets, or dots (basically: DNS, IPv4, IPv6, or CIDR)

Thanks for your answer, @tstromberg. This should be easy to achieve with regular expressions although it might be interesting looking at using some validator within the ClusterConfig struct although this change will be bigger.

I mention this because it seems to me this function is not 100% correct since it won't reject some malformed URLs (like this "http://;;..,,----__???**"):

With the validator in place, many validation functions could be either removed or simplified.

@tstromberg, this one is fixed by #9977

Hello, would it be possible to also consider IP and hostname in the regexp without having to mention a port ?

In our situation, until 1.17, we were using --insecure-registry dockerhub.example.com in our CI/CD with all K8S manifests pointing to docker images built with tag of kind dockerhub.example.com/xxx/yyy

With 1.17+, to pass the validation, I have to set --insecure-registry dockerhub.example.com:80 (which means the same thing) but the result is that no K8S pod can start as images with tag of kind dockerhub.example.com/xxx/yyy are tried to be pulled in a secure way because it does not precisely match the insecure registry setting which contain the port...

Changing all the jobs that build our docker images in order to add port 80 to the tag is not really an option as we would like to keep consistency in our tags (as they are parsed by some other internal tools we have)

Thanks !

@tstromberg it seems we might need to update the validation fuction according to docker's insecure registry validation (port is not mandatory):
https://github.com/docker/engine/blob/master/registry/config_test.go

Do you agree?