allowedRegistriesForImport
Use the following procedure to configure image registries.
The image.config.openshift.io/cluster
resource holds cluster-wide information about how to handle images. The canonical, and only valid name is cluster
. Its spec
offers the following configuration parameters.
Parameters such as |
Parameter | Description |
---|---|
|
Limits the container image registries from which normal users can import images. Set this list to the registries that you trust to contain valid images, and that you want applications to be able to import from. Users with permission to create images or Every element of this list contains a location of the registry specified by the registry domain name.
|
|
A reference to a config map containing additional CAs that should be trusted during The namespace for this config map is |
|
Provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in |
|
Contains configuration that determines how the container runtime should treat individual registries when accessing images for builds and pods. For instance, whether or not to allow insecure access. It does not contain configuration for the internal cluster registry.
Either |
When the |
The status
field of the image.config.openshift.io/cluster
resource holds observed values from the cluster.
Parameter | Description |
---|---|
|
Set by the Image Registry Operator, which controls the |
|
Set by the Image Registry Operator, provides the external hostnames for the image registry when it is exposed externally. The first value is used in |
You can configure image registry settings by editing the image.config.openshift.io/cluster
custom resource (CR).
When changes to the registry are applied to the image.config.openshift.io/cluster
CR, the Machine Config Operator (MCO) performs the following sequential actions:
Cordons the node
Applies changes by restarting CRI-O
Uncordons the node
The MCO does not restart nodes when it detects changes. |
Edit the image.config.openshift.io/cluster
custom resource:
$ oc edit image.config.openshift.io/cluster
The following is an example image.config.openshift.io/cluster
CR:
apiVersion: config.openshift.io/v1
kind: Image (1)
metadata:
annotations:
release.openshift.io/create-only: "true"
creationTimestamp: "2019-05-17T13:44:26Z"
generation: 1
name: cluster
resourceVersion: "8302"
selfLink: /apis/config.openshift.io/v1/images/cluster
uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
spec:
allowedRegistriesForImport: (2)
- domainName: quay.io
insecure: false
additionalTrustedCA: (3)
name: myconfigmap
registrySources: (4)
allowedRegistries:
- example.com
- quay.io
- registry.redhat.io
- image-registry.openshift-image-registry.svc:5000
- reg1.io/myrepo/myapp:latest
insecureRegistries:
- insecure.com
status:
internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
1 | Image : Holds cluster-wide information about how to handle images. The canonical, and only valid name is cluster . |
2 | allowedRegistriesForImport : Limits the container image registries from which normal users may import images. Set this list to the registries that you trust to contain valid images, and that you want applications to be able to import from. Users with permission to create images or ImageStreamMappings from the API are not affected by this policy. Typically only cluster administrators have the appropriate permissions. |
3 | additionalTrustedCA : A reference to a config map containing additional certificate authorities (CA) that are trusted during image stream import, pod image pull, openshift-image-registry pullthrough, and builds. The namespace for this config map is openshift-config . The format of the config map is to use the registry hostname as the key, and the PEM certificate as the value, for each additional registry CA to trust. |
4 | registrySources : Contains configuration that determines whether the container runtime allows or blocks individual registries when accessing images for builds and pods. Either the allowedRegistries parameter or the blockedRegistries parameter can be set, but not both. You can also define whether or not to allow access to insecure registries or registries that allow registries that use image short names. This example uses the allowedRegistries parameter, which defines the registries that are allowed to be used. The insecure registry insecure.com is also allowed. The registrySources parameter does not contain configuration for the internal cluster registry. |
When the When using the Insecure external registries should be avoided to reduce possible security risks. |
To check that the changes are applied, list your nodes:
$ oc get nodes
NAME STATUS ROLES AGE VERSION
ip-10-0-137-182.us-east-2.compute.internal Ready,SchedulingDisabled worker 65m v1.25.4+77bec7a
ip-10-0-139-120.us-east-2.compute.internal Ready,SchedulingDisabled control-plane 74m v1.25.4+77bec7a
ip-10-0-176-102.us-east-2.compute.internal Ready control-plane 75m v1.25.4+77bec7a
ip-10-0-188-96.us-east-2.compute.internal Ready worker 65m v1.25.4+77bec7a
ip-10-0-200-59.us-east-2.compute.internal Ready worker 63m v1.25.4+77bec7a
ip-10-0-223-123.us-east-2.compute.internal Ready control-plane 73m v1.25.4+77bec7a
You can add a list of registries, and optionally an individual repository within a registry, that are permitted for image pull and push actions by editing the image.config.openshift.io/cluster
custom resource (CR). OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.
When pulling or pushing images, the container runtime searches the registries listed under the registrySources
parameter in the image.config.openshift.io/cluster
CR. If you created a list of registries under the allowedRegistries
parameter, the container runtime searches only those registries. Registries not in the list are blocked.
When the |
Edit the image.config.openshift.io/cluster
CR:
$ oc edit image.config.openshift.io/cluster
The following is an example image.config.openshift.io/cluster
CR with an allowed list:
apiVersion: config.openshift.io/v1
kind: Image
metadata:
annotations:
release.openshift.io/create-only: "true"
creationTimestamp: "2019-05-17T13:44:26Z"
generation: 1
name: cluster
resourceVersion: "8302"
selfLink: /apis/config.openshift.io/v1/images/cluster
uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
spec:
registrySources: (1)
allowedRegistries: (2)
- example.com
- quay.io
- registry.redhat.io
- reg1.io/myrepo/myapp:latest
- image-registry.openshift-image-registry.svc:5000
status:
internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
1 | Contains configurations that determine how the container runtime should treat individual registries when accessing images for builds and pods. It does not contain configuration for the internal cluster registry. |
2 | Specify registries, and optionally a repository in that registry, to use for image pull and push actions. All other registries are blocked. |
Either the |
The Machine Config Operator (MCO) watches the image.config.openshift.io/cluster
resource for any changes to the registries. When the MCO detects a change, it drains the nodes, applies the change, and uncordons the nodes. After the nodes return to the Ready
state, the allowed registries list is used to update the image signature policy in the /host/etc/containers/policy.json
file on each node.
To check that the registries have been added to the policy file, use the following command on a node:
$ cat /host/etc/containers/policy.json
The following policy indicates that only images from the example.com, quay.io, and registry.redhat.io registries are permitted for image pulls and pushes:
{
"default":[
{
"type":"reject"
}
],
"transports":{
"atomic":{
"example.com":[
{
"type":"insecureAcceptAnything"
}
],
"image-registry.openshift-image-registry.svc:5000":[
{
"type":"insecureAcceptAnything"
}
],
"insecure.com":[
{
"type":"insecureAcceptAnything"
}
],
"quay.io":[
{
"type":"insecureAcceptAnything"
}
],
"reg4.io/myrepo/myapp:latest":[
{
"type":"insecureAcceptAnything"
}
],
"registry.redhat.io":[
{
"type":"insecureAcceptAnything"
}
]
},
"docker":{
"example.com":[
{
"type":"insecureAcceptAnything"
}
],
"image-registry.openshift-image-registry.svc:5000":[
{
"type":"insecureAcceptAnything"
}
],
"insecure.com":[
{
"type":"insecureAcceptAnything"
}
],
"quay.io":[
{
"type":"insecureAcceptAnything"
}
],
"reg4.io/myrepo/myapp:latest":[
{
"type":"insecureAcceptAnything"
}
],
"registry.redhat.io":[
{
"type":"insecureAcceptAnything"
}
]
},
"docker-daemon":{
"":[
{
"type":"insecureAcceptAnything"
}
]
}
}
}
If your cluster uses the For example:
|
You can block any registry, and optionally an individual repository within a registry, by editing the image.config.openshift.io/cluster
custom resource (CR). OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.
When pulling or pushing images, the container runtime searches the registries listed under the registrySources
parameter in the image.config.openshift.io/cluster
CR. If you created a list of registries under the blockedRegistries
parameter, the container runtime does not search those registries. All other registries are allowed.
To prevent pod failure, do not add the |
Edit the image.config.openshift.io/cluster
CR:
$ oc edit image.config.openshift.io/cluster