You can configure registries allowed for import in master-config.yaml
under imagePolicyConfig:allowedRegistriesForImport
section as demonstrated in
the following example. If the setting is not present, all images are allowed,
which is the default.
Example 1. Example Configuration of Registries Allowed for Import
imagePolicyConfig:
allowedRegistriesForImport:
-
domainName: registry.redhat.io (1)
-
domainName: *.mydomain.com
insecure: true (2)
-
domainName: local.registry.corp:5000 (3)
1 |
Allow any image from the specified secure registry. |
2 |
Allow any image from any insecure registry hosted on any sub-domain of
mydomain.com . The mydomain.com is not whitelisted. |
3 |
Allow any image from the given registry with port specified. |
Each rule is composed of the following attributes:
-
domainName
: is a hostname optionally terminated by :<port>
suffix
where special wildcard characters (?
, *
) are recognized. The former
matches a sequence of characters of any length while the later matches
exactly one character. The wildcard characters can be present both before and
after :
separator. The wildcards apply only to the part before or after the
separator regardless of separator’s presence.
-
insecure
: is a boolean used to decide which ports are matched if the
:<port>
part is missing from domainName
. If true, the domainName
will match registries with :80
suffix or unspecified port as long as the
insecure flag is used during import. If false, registries with :443
suffix
or unspecified port will be matched.
If a rule should match both secure and insecure ports of the same domain, the
rule must be listed twice (once with insecure=true
and once with
insecure=false
.
Unqualified images references are qualified to docker.io
before any
rule evaluation. To whitelist them, use domainName: docker.io
.
domainName: *
rule matches any registry hostname, but port is still
restricted to 443
. To match arbitrary registry serving on arbitrary port, use
domainName: *:*
.
-
oc tag --insecure reg.mydomain.com/app:v1 app:v1
is whitelisted by the
handling of the mydomain.com
rule
-
oc import-image --from reg1.mydomain.com:80/foo foo:latest
will be also
whitelisted
-
oc tag local.registry.corp/bar bar:latest
will be rejected because the port
does not match 5000
in the third rule
Rejected image imports will generate error messages similar to the following text:
The ImageStream "bar" is invalid:
* spec.tags[latest].from.name: Forbidden: registry "local.registry.corp" not allowed by whitelist: "local.registry.corp:5000", "*.mydomain.com:80", "registry.redhat.io:443"
* status.tags[latest].items[0].dockerImageReference: Forbidden: registry "local.registry.corp" not allowed by whitelist: "local.registry.corp:5000", "*.mydomain.com:80", "registry.redhat.io:443"