Image
Use the following procedure to configure image registries.
The image.config.openshift.io/cluster
resource offers the following
configuration parameters.
Parameter | Description |
---|---|
|
Holds cluster-wide information about how to handle images. The canonical, and
only valid name is
|
|
The namespace for this configmap is
|
|
|
|
Contains a location of the registry specified by the registry domain name. The domain name might include wildcards.
|
|
Holds cluster-wide information about how to handle the registries config.
Only one of |
You can configure image registry settings by editing the
image.config.openshift.io/cluster
resource. The
Machine Config Operator (MCO) watches the
`image.config.openshift.io/cluster`for any changes to registries
and reboots the nodes when it detects changes.
Edit the image.config.openshift.io/cluster
custom resource:
$ oc edit image.config.openshift.io/cluster
The following is an example image.config.openshift.io/cluster
resource:
apiVersion: config.openshift.io/v1
kind: Image(1)
metadata:
annotations:
release.openshift.io/create-only: "true"
creationTimestamp: "2019-05-17T13:44:26Z"
generation: 1
name: cluster
resourceVersion: "8302"
selfLink: /apis/config.openshift.io/v1/images/cluster
uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
spec:
allowedRegistriesForImport:(2)
- domainName: quay.io
insecure: false
additionalTrustedCA:(3)
name: myconfigmap
registrySources:(4)
insecureRegistries:(5)
- insecure.com
blockedRegistries:(6)
- untrusted.com
status:
internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
1 | Image : Holds cluster-wide information about how to handle images. The
canonical, and only valid name is cluster . |
2 | allowedRegistriesForImport : Limits the container image registries from which
normal users may import images. Set this list to the registries that you trust
to contain valid images, and that you want applications to be able to
import from. Users with permission to create images or ImageStreamMappings
from the API are not affected by this policy. Typically only cluster
administrators will have the appropriate permissions. |
3 | additionalTrustedCA : A reference to a configmap containing additional CAs that
should be trusted during ImageStream import , pod image pull ,
openshift-image-registry pullthrough , and builds. The namespace for this configmap is
openshift-config . The format of the configmap is to use the registry hostname
as the key, and the base64-encoded certificate as the value, for each additional
registry CA to trust. |
4 | registrySources : Contains configuration that determines how the container
runtime should treat individual registries when accessing images for builds and
pods. For instance, whether or not to allow insecure access. It does not contain
configuration for the internal cluster registry. |
5 | insecureRegistries : Registries which do not have a valid TLS certificate or
only support HTTP connections. |
6 | blockedRegistries : Blacklisted for image pull and push actions. All other
registries are allowed. |
You can add insecure registries or block any registry by editing the image.config.openshift.io/cluster
custom resource (CR).
OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.
Insecure external registries, such as those do not have a valid TLS certificate or only support HTTP connections, should be avoided.
Edit the image.config.openshift.io/cluster
custom resource:
$ oc edit image.config.openshift.io/cluster
The following is an example image.config.openshift.io/cluster
resource:
apiVersion: config.openshift.io/v1
kind: Image
metadata:
annotations:
release.openshift.io/create-only: "true"
creationTimestamp: "2019-05-17T13:44:26Z"
generation: 1
name: cluster
resourceVersion: "8302"
selfLink: /apis/config.openshift.io/v1/images/cluster
uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
spec:
allowedRegistriesForImport:
- domainName: quay.io
insecure: false
additionalTrustedCA:
name: myconfigmap
registrySources:
insecureRegistries:(1)
- insecure.com
blockedRegistries:(2)
- untrusted.com
status:
internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
1 | Specify an insecure registry. |
2 | Specify any registries that should be blacklisted for image pull and push actions. All other registries are allowed. |
The Machine Config Operator (MCO) watches the image.config.openshift.io/cluster
for any changes to registries and reboots the nodes when it detects changes.
Changes to the registries appear in the /host/etc/containers/registries.conf file on each node.
cat /host/etc/containers/registries.conf [registries] [registries.search] registries = ["registry.access.redhat.com", "docker.io"] [registries.insecure] registries = ["insecure.com"] [registries.block] registries = ["untrusted.com"]