diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 7e11f0658a..a90aeb89c9 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -112,7 +112,8 @@ docker_registry_email:
docker_registry:
docker_namespace: "kolla"
docker_registry_username:
-docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}"
+# Please read the docs carefully before applying docker_registry_insecure.
+docker_registry_insecure: "no"
docker_runtime_directory: ""
# Docker client timeout in seconds.
docker_client_timeout: 120
diff --git a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst
index cef7e95922..f7e8f9fd28 100644
--- a/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst
+++ b/doc/source/reference/deployment-and-bootstrapping/bootstrap-servers.rst
@@ -168,10 +168,13 @@ The ``docker_registry`` variable, which is not set by default, defines the
address of the Docker registry. If the variable is not set, Dockerhub will be
used.
-The ``docker_registry_insecure`` variable, which defaults to ``true`` if
-``docker_registry`` is set, or ``false`` otherwise, defines whether to
-configure ``docker_registry`` as an insecure registry. Insecure registries use
-HTTP rather than HTTPS.
+The ``docker_registry_insecure`` variable, which defaults to ``false``,
+defines whether to configure ``docker_registry`` as an insecure registry.
+Insecure registries allow to use broken certificate chains and HTTP without
+TLS but it's strongly discouraged in production unless in very specific
+circumstances. For more discussion, see the official Docker documentation on
+`insecure registries `__.
+Additionally, notice this will disable Docker registry authentication.
The ``docker_log_max_file`` variable, which defaults to ``5``, defines the
maximum number of log files to retain per container. The
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 74d8e67d86..b71d573569 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -77,7 +77,8 @@
# Custom docker registry settings:
#docker_registry:
-#docker_registry_insecure: "{{ 'yes' if docker_registry else 'no' }}"
+# Please read the docs carefully before applying docker_registry_insecure.
+#docker_registry_insecure: "no"
#docker_registry_username:
# docker_registry_password is set in the passwords.yml file.
diff --git a/releasenotes/notes/bug-1940547-771f6affb3547748.yaml b/releasenotes/notes/bug-1940547-771f6affb3547748.yaml
new file mode 100644
index 0000000000..3b14c6dda4
--- /dev/null
+++ b/releasenotes/notes/bug-1940547-771f6affb3547748.yaml
@@ -0,0 +1,18 @@
+---
+upgrade:
+ - |
+ Kolla Ansible now defaults ``docker_registry_insecure`` to ``false``.
+ If you relied on the previous behaviour, please switch it back on
+ but bear in mind the consequences as discussed in the related security
+ note as well as the linked bug report.
+ `LP#1940547 `__
+security:
+ - |
+ Previously, Kolla Ansible, by default (as documented in several places),
+ configured Docker to insecure mode for the configured registry (i.e., if
+ not using the default one). This is controlled by the
+ ``docker_registry_insecure`` variable.
+ If operators did not notice this quirk, they could have opened their
+ deployments up for potential MITM attacks. See the bug report for
+ more discussion.
+ `LP#1940547 `__
diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2
index c1ac9c2824..d5f0cf4f5a 100644
--- a/tests/templates/globals-default.j2
+++ b/tests/templates/globals-default.j2
@@ -58,7 +58,6 @@ openstack_tag: "{{ build_image_tag }}"
{% else %}
# use the published images from a site mirror of quay.io
docker_registry: "{{ zuul_site_mirror_fqdn }}:4447"
-docker_registry_insecure: no
docker_namespace: openstack.kolla
{% if docker_image_tag_suffix %}
openstack_tag_suffix: "{{ docker_image_tag_suffix }}"