Chapter 11. Image [config.openshift.io/v1]
- Description
- Image governs policies related to imagestream imports and runtime configuration for external registries. It allows cluster admins to configure which registries OpenShift is allowed to import images from, extra CA trust bundles for external registries, and policies to block or allow registry hostnames. When exposing OpenShift’s image registry to the public, this also lets cluster admins specify the external hostname. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
- Type
-
object - Required
-
spec
-
11.1. Specification
| Property | Type | Description |
|---|---|---|
|
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
|
| Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | |
|
|
| spec holds user settable values for configuration |
|
|
| status holds observed values from the cluster. They may not be overridden. |
11.1.1. .spec
- Description
- spec holds user settable values for configuration
- Type
-
object
| Property | Type | Description |
|---|---|---|
|
|
| additionalTrustedCA is a reference to a ConfigMap containing additional CAs that should be trusted during imagestream import, pod image pull, build image pull, and imageregistry pullthrough. The namespace for this config map is openshift-config. |
|
|
| allowedRegistriesForImport limits the container image registries that normal users may import images from. Set this list to the registries that you trust to contain valid Docker images and that you want applications to be able to import from. Users with permission to create Images or ImageStreamMappings via the API are not affected by this policy - typically only administrators or system integrations will have those permissions. |
|
|
| RegistryLocation contains a location of the registry specified by the registry domain name. The domain name might include wildcards, like '*' or '??'. |
|
|
| externalRegistryHostnames provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in "hostname[:port]" format. |
|
|
| registrySources contains configuration that determines how the container runtime should treat individual registries when accessing images for builds+pods. (e.g. whether or not to allow insecure access). It does not contain configuration for the internal cluster registry. |
11.1.2. .spec.additionalTrustedCA
- Description
- additionalTrustedCA is a reference to a ConfigMap containing additional CAs that should be trusted during imagestream import, pod image pull, build image pull, and imageregistry pullthrough. The namespace for this config map is openshift-config.
- Type
-
object - Required
-
name
-
| Property | Type | Description |
|---|---|---|
|
|
| name is the metadata.name of the referenced config map |
11.1.3. .spec.allowedRegistriesForImport
- Description
- allowedRegistriesForImport limits the container image registries that normal users may import images from. Set this list to the registries that you trust to contain valid Docker images and that you want applications to be able to import from. Users with permission to create Images or ImageStreamMappings via the API are not affected by this policy - typically only administrators or system integrations will have those permissions.
- Type
-
array
11.1.4. .spec.allowedRegistriesForImport[]
- Description
- RegistryLocation contains a location of the registry specified by the registry domain name. The domain name might include wildcards, like '*' or '??'.
- Type
-
object
| Property | Type | Description |
|---|---|---|
|
|
| domainName specifies a domain name for the registry In case the registry use non-standard (80 or 443) port, the port should be included in the domain name as well. |
|
|
| insecure indicates whether the registry is secure (https) or insecure (http) By default (if not specified) the registry is assumed as secure. |
11.1.5. .spec.registrySources
- Description
- registrySources contains configuration that determines how the container runtime should treat individual registries when accessing images for builds+pods. (e.g. whether or not to allow insecure access). It does not contain configuration for the internal cluster registry.
- Type
-
object
| Property | Type | Description |
|---|---|---|
|
|
| allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. Only one of BlockedRegistries or AllowedRegistries may be set. |
|
|
| blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. Only one of BlockedRegistries or AllowedRegistries may be set. |
|
|
| containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified domains in their pull specs. Registries will be searched in the order provided in the list. Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. |
|
|
| insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections. |
11.1.6. .status
- Description
- status holds observed values from the cluster. They may not be overridden.
- Type
-
object
| Property | Type | Description |
|---|---|---|
|
|
| externalRegistryHostnames provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in 'publicDockerImageRepository' field in ImageStreams. The value must be in "hostname[:port]" format. |
|
|
| internalRegistryHostname sets the hostname for the default internal image registry. The value must be in "hostname[:port]" format. This value is set by the image registry operator which controls the internal registry hostname. |
11.2. API endpoints
The following API endpoints are available:
/apis/config.openshift.io/v1/images-
DELETE: delete collection of Image -
GET: list objects of kind Image -
POST: create an Image
-
/apis/config.openshift.io/v1/images/{name}-
DELETE: delete an Image -
GET: read the specified Image -
PATCH: partially update the specified Image -
PUT: replace the specified Image
-
/apis/config.openshift.io/v1/images/{name}/status-
GET: read status of the specified Image -
PATCH: partially update status of the specified Image -
PUT: replace status of the specified Image
-
11.2.1. /apis/config.openshift.io/v1/images
- HTTP method
-
DELETE - Description
- delete collection of Image
| HTTP code | Reponse body |
|---|---|
| 200 - OK |
|
| 401 - Unauthorized | Empty |
- HTTP method
-
GET - Description
- list objects of kind Image
| HTTP code | Reponse body |
|---|---|
| 200 - OK |
|
| 401 - Unauthorized | Empty |
- HTTP method
-
POST - Description
- create an Image
| Parameter | Type | Description |
|---|---|---|
|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
| Parameter | Type | Description |
|---|---|---|
|
|
|
| HTTP code | Reponse body |
|---|---|
| 200 - OK |
|
| 201 - Created |
|
| 202 - Accepted |
|
| 401 - Unauthorized | Empty |
11.2.2. /apis/config.openshift.io/v1/images/{name}
| Parameter | Type | Description |
|---|---|---|
|
|
| name of the Image |
- HTTP method
-
DELETE - Description
- delete an Image
| Parameter | Type | Description |
|---|---|---|
|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
| HTTP code | Reponse body |
|---|---|
| 200 - OK |
|
| 202 - Accepted |
|
| 401 - Unauthorized | Empty |
- HTTP method
-
GET - Description
- read the specified Image
| HTTP code | Reponse body |
|---|---|
| 200 - OK |
|
| 401 - Unauthorized | Empty |
- HTTP method
-
PATCH - Description
- partially update the specified Image
| Parameter | Type | Description |
|---|---|---|
|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
| HTTP code | Reponse body |
|---|---|
| 200 - OK |
|
| 401 - Unauthorized | Empty |
- HTTP method
-
PUT - Description
- replace the specified Image
| Parameter | Type | Description |
|---|---|---|
|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
| Parameter | Type | Description |
|---|---|---|
|
|
|
| HTTP code | Reponse body |
|---|---|
| 200 - OK |
|
| 201 - Created |
|
| 401 - Unauthorized | Empty |
11.2.3. /apis/config.openshift.io/v1/images/{name}/status
| Parameter | Type | Description |
|---|---|---|
|
|
| name of the Image |
- HTTP method
-
GET - Description
- read status of the specified Image
| HTTP code | Reponse body |
|---|---|
| 200 - OK |
|
| 401 - Unauthorized | Empty |
- HTTP method
-
PATCH - Description
- partially update status of the specified Image
| Parameter | Type | Description |
|---|---|---|
|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
| HTTP code | Reponse body |
|---|---|
| 200 - OK |
|
| 401 - Unauthorized | Empty |
- HTTP method
-
PUT - Description
- replace status of the specified Image
| Parameter | Type | Description |
|---|---|---|
|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
| Parameter | Type | Description |
|---|---|---|
|
|
|
| HTTP code | Reponse body |
|---|---|
| 200 - OK |
|
| 201 - Created |
|
| 401 - Unauthorized | Empty |
