This issue is a tracking issue to deprecate insecure_registries option.

Since it's impossible to reliably check if the image registry's IP address is in the specified insecure CIDRs, and it causes another problem that cri-o tries to resolve the primary registry hostname instead of its mirror registries, which resulted in the long-time image pull, we should get rid of this option and should delegate it to registries.conf.

The proposal is:

• Stop CIDR matching
• The functionality of insecure hostname and insecure IP address (only when the registry host is in IP address format) can be achieved by registries.conf insecure option.
• Remove this option completely.

ref:

• Avoid accessing mirrored registry #9216 (review)
• sysregistriesv2: support CIDRs for insecure registries containers/image#539 (comment)