You can configure registries allowed for import in master-config.yaml
imagePolicyConfig:allowedRegistriesForImport section as demonstrated in
the following example. If the setting is not present, all images are allowed,
which is the default.
Example 1. Example Configuration of Registries Allowed for Import
domainName: registry.access.redhat.com (1)
insecure: true (2)
domainName: local.registry.corp:5000 (3)
||Allow any image from the specified secure registry.
||Allow any image from any insecure registry hosted on any sub-domain of
mydomain.com is not whitelisted.
||Allow any image from the given registry with port specified.
Each rule is composed of the following attributes:
domainName: is a hostname optionally terminated by
where special wildcard characters (
*) are recognized. The former
matches a sequence of characters of any length while the later matches
exactly one character. The wildcard characters can be present both before and
: separator. The wildcards apply only to the part before or after the
separator regardless of separator’s presence.
insecure: is a boolean used to decide which ports are matched if the
:<port> part is missing from
domainName. If true, the
will match registries with
:80 suffix or unspecified port as long as the
insecure flag is used during import. If false, registries with
or unspecified port will be matched.
If a rule should match both secure and insecure ports of the same domain, the
rule must be listed twice (once with
insecure=true and once with
Unqualified images references are qualified to
docker.io before any
rule evaluation. To whitelist them, use
domainName: * rule matches any registry hostname, but port is still
443. To match arbitrary registry serving on arbitrary port, use
oc tag --insecure reg.mydomain.com/app:v1 app:v1 is whitelisted by the
handling of the
oc import-image --from reg1.mydomain.com:80/foo foo:latest will be also
oc tag local.registry.corp/bar bar:latest will be rejected because the port
does not match
5000 in the third rule
Rejected image imports will generate error messages similar to the following text:
The ImageStream "bar" is invalid:
* spec.tags[latest].from.name: Forbidden: registry "local.registry.corp" not allowed by whitelist: "local.registry.corp:5000", "*.mydomain.com:80", "registry.access.redhat.com:443"
* status.tags[latest].items.dockerImageReference: Forbidden: registry "local.registry.corp" not allowed by whitelist: "local.registry.corp:5000", "*.mydomain.com:80", "registry.access.redhat.com:443"