You can configure registries allowed for import in master-config.yaml
imagePolicyConfig:allowedRegistriesForImport section as demonstrated in
the following example. If the setting is not present, all images are allowed.
Example 1. Example Configuration of Registries Allowed for Import
domainName: registry.access.redhat.com (1)
insecure: true (2)
domainName: local.registry.corp:5000 (3)
||Allow any image from the specified secure registry.
||Allow any image from any insecure registry hosted on any sub-domain of
mydomain.com is not whitelisted.
||Allow any image from the given registry with port specified.
Each rule is composed of the following attributes:
domainName: is a hostname optionally terminated by
where special wildcard characters (
*) are recognized. The former
matches a sequence of characters of any length while the later matches
exactly one character. The wildcard characters can be present both before and
: separator. The wildcards apply only to the part before or after the
separator regardless of separator’s presence.
insecure: is a boolean used to decide which ports are matched if the
:<port> part is missing from
domainName. If true, the
will match registries with
:80 suffix or unspecified port as long as the
insecure flag is used during import. If false, registries with
or unspecified port will be matched.
If a rule should match both secure and insecure ports of the same domain, the
rule must be listed twice (once with
insecure=true and once with
Unqualified images references are qualified to
docker.io before any
rule evaluation. To whitelist them, use
domainName: * rule matches any registry hostname, but port is still
443. To match arbitrary registry serving on arbitrary port, use
oc tag --insecure reg.mydomain.com/app:v1 app:v1 is whitelisted by the
handling of the
oc import-image --from reg1.mydomain.com:80/foo foo:latest will be also
oc tag local.registry.corp/bar bar:latest will be rejected because the port
does not match
5000 in the third rule
Rejected image imports will generate error messages similar to the following text:
The ImageStream "bar" is invalid:
* spec.tags[latest].from.name: Forbidden: registry "local.registry.corp" not allowed by whitelist: "local.registry.corp:5000", "*.mydomain.com:80", "registry.access.redhat.com:443"
* status.tags[latest].items.dockerImageReference: Forbidden: registry "local.registry.corp" not allowed by whitelist: "local.registry.corp:5000", "*.mydomain.com:80", "registry.access.redhat.com:443"