What happened:

#8438 introduced a glob mechanism for Docker authentication configuration files. URL paths are being matched via strings.HasPrefix:

This means that credentials provided for a container image quay.io/saschagrunert/foo in config.json will also be passed to the container runtime if we choose an image like quay.io/saschagrunert/foo-my-suffix.

I don't think that this is intentional because I cannot think of a valid use-case around it.

What you expected to happen:

That the credentials only for full path matches get passed down to the container runtime (via the CRI).

How to reproduce it (as minimally and precisely as possible):

Run kubernetes as described above with a set of pre-configured auth secrets and pull an image with a path suffix.

Anything else we need to know?:

None

Environment:

• Kubernetes version (use kubectl version): v1.22.0-alpha.2.260+14e4ed07cf81a8
• Cloud provider or hardware configuration: None
• OS (e.g: cat /etc/os-release): NixOS
• Kernel (e.g. uname -a): 5.11.21
• Install tools: None
• Network plugin and version (if this is a network-related bug): None
• Others: None

cc @brendanburns @tcnghia