Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 9. Image configuration resources

Use the following procedure to configure image registries.

The image.config.openshift.io/cluster resource holds cluster-wide information about how to handle images. The resource exists, but it is read only and can only be changed through supported tools like the ROSA CLI (rosa). The canonical and only valid name is cluster. It can be configured in Red Hat OpenShift Service on AWS through rosa commands.

Note

Parameters such as DisableScheduledImport, MaxImagesBulkImportedPerRepository, MaxScheduledImportsPerMinute, ScheduledImageImportMinimumIntervalSeconds, InternalRegistryHostname are not configurable.

Expand
Parameters for ROSA CLIDescription

registry-config-allowed-registries

Registries for which image pull and push actions are allowed. To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. For example, *.example.com. You can specify an individual repository within a registry. For example, reg1.io/myrepo/myapp:latest. All other registries are blocked. The format should be a comma-separated list of allowed registries. For example, allowed.io, allowed.io2.

registry-config-insecure-registries

Registries which do not have a valid TLS certificate or only support HTTP connections. To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. For example, *.example.com. You can specify an individual repository within a registry. For example, reg1.io/myrepo/myapp:latest. The format should be a comma-separated list of insecure registries. For example, insecure.io, insecure.io2.

registry-config-blocked-registries

Registries for which image pull and push actions are denied. To specify all subdomains, add the asterisk (*) wildcard character as a prefix to the domain name. For example, *.example.com. You can specify an individual repository within a registry. For example, reg1.io/myrepo/myapp:latest. All other registries are allowed. The format should be a comma-separated list of blocked registries. For example, blocked.io, blocked.io2.

registry-config-allowed-registries-for-import

Contains configuration that determines how the container runtime should treat individual registries when accessing images for builds and pods. For example, whether or not to allow insecure access. It does not contain configuration for the internal cluster registry. Limits the container image registries from which normal users can import images. The format should be a comma-separated list of domainName:insecure. domainName specifies a domain name for the registry. insecure indicates whether the registry is secure or insecure.

registry-config-additional-trusted-ca

A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.

Warning

When the allowedRegistries parameter is defined, all registries are blocked unless explicitly listed. To prevent pod failure, a list of Red Hat registries is automatically whitelisted, as they are required by payload images within your environment. The current list consists of image-registry.openshift-image-registry.svc:5000,quay.io,registry.redhat.io and it is also visible when running the rosa describe cluster command.

You can configure image registry settings at cluster creation. The cluster’s nodes will use the required configuration after creation.

Procedure

  • Create Red Hat OpenShift Service on AWS clusters with image registry by running the following command: 

    $ rosa create cluster —cluster-name=<cluster_name> --sts --mode=auto \
   --hosted-cp --operator-roles-prefix <operator_role_prefix> \
   --oidc-config-id <id_of_oidc_configuration> \
   --subnet-ids=<public_subnet_id>,<private_subnet_id> \
   --registry-config-insecure-registries <insecure_registries> \
   --registry-config-allowed-registries <allowed_registries> \
   --registry-config-allowed-registries-for-import <registry_name:insecure> \
   --registry-config-additional-trusted-ca <additional_trusted_ca_file>
    Copy to Clipboard Toggle word wrap
    Note

    When using the allowedRegistries, blockedRegistries, or insecureRegistries parameter, you can specify an individual repository within a registry. For example: reg1.io/myrepo/myapp:latest.

    Avoid insecure external registries to reduce possible security risks. Parameters allowedRegistries, blockedRegistries are mutually exclusive.

Verification

  1. Run the rosa describe command to verify that your image registry is enabled by running the following command: 

    $ rosa describe cluster --cluster=<cluster_name>
    Copy to Clipboard Toggle word wrap

    Example output

    Name:                       rosa-hcp-test
Domain Prefix:              rosa-hcp-test
Display Name:               rosa-hcp-test
ID:                         <cluster_hcp_id>
External ID:                <cluster_hcp_id>
Control Plane:              ROSA Service Hosted
OpenShift Version:          4.Y.Z
Channel Group:              stable
DNS:                        <dns>
AWS Account:                <aws_id>
AWS Billing Account:        <aws_id>
API URL:                    <ocm_api>
Console URL:
Region:                     us-east-1
Availability:
 - Control Plane:           MultiAZ
 - Data Plane:              SingleAZ
Nodes:
 - Compute (desired):       2
 - Compute (current):       2
Network:
 - Type:                    OVNKubernetes
 - Service CIDR:            <service_cidr>
 - Machine CIDR:            <machine_cidr>
 - Pod CIDR:                <pod_cidr>
 - Host Prefix:             /23
 - Subnets:                 <subnet_ids>
EC2 Metadata Http Tokens:   optional
Role (STS) ARN:             arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role
Support Role ARN:           arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role
Instance IAM Roles:
 - Worker:                  arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role
Operator IAM Roles:
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-kms-provider
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credent
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-cloud
Managed Policies:           Yes
State:                      ready
Private:                    No
Delete Protection:          Disabled
Created:                    Oct 01 2030 09:48:52 UTC
User Workload Monitoring:   Enabled
OIDC Endpoint URL:          https://<endpoint> (Managed)
Audit Log Forwarding:       Disabled
External Authentication:    Disabled
Etcd Encryption:            Disabled
Registry Configuration:
 - Allowed Registries: <allowed_registry>
 - Insecure Registries: <insecure_registry>
 - Allowed Registries for Import:
    - Domain Name: <domain_name>
    - Insecure: true
 - Platform Allowlist: <platform_allowlist_id>
    - Registries:      <list_of_registries>
 - Additional Trusted CA:
    - <registry_name> : REDACTED
    Copy to Clipboard Toggle word wrap

    where:

    • Allowed Registries:: A comma-separated list of registries for which image pull and push actions are allowed.
    • Blocked Registries:: A comma-separated list of registries for which image pull and push actions are blocked. Parameters allowedRegistries, blockedRegistries are mutually exclusive.
    • Insecure Registries:: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
    • Allowed Registries for Import:: Limits the container image registries from which normal users can import images. The format should be a comma-separated list of domainName:insecure.
    • domainName:: Specifies a domain name for the registry.
    • insecure:: Indicates whether the registry is secure or insecure.
    • Platform Allowlist:: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
    • Registries:: The list of registries that needs to be whitelisted for the platform to work.
    • Additional Trusted CA:: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.

  2. List your nodes to check the applied changes by running the following command: 

    $ oc get nodes
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                         STATUS                     ROLES                  AGE   VERSION
ip-10-0-137-182.us-east-2.compute.internal   Ready,SchedulingDisabled   worker                 65m   v1.34.2
ip-10-0-188-96.us-east-2.compute.internal    Ready                      worker                 65m   v1.34.2
ip-10-0-200-59.us-east-2.compute.internal    Ready                      worker                 63m   v1.34.2
    Copy to Clipboard Toggle word wrap

You can change the image registry config with the rosa edit command.

Warning

When the allowedRegistries parameter is defined, all registries are blocked unless explicitly listed. To prevent pod failure, a list of Red Hat registries is automatically whitelisted, as they are required by payload images within your environment. The current list consists of image-registry.openshift-image-registry.svc:5000,quay.io,registry.redhat.io and it is also visible when running the rosa describe cluster command.

Note

You can change any registry-related parameter, which will trigger a rollout across all machine pools; all machine pool nodes will be recreated, following pod draining from each node.

Procedure

  • Update or edit the image registry for the cluster by running the following command: 

    $ rosa edit cluster --registry-config-insecure-registries <insecure_registries> \
   --registry-config-allowed-registries <allowed_registries> \
   --registry-config-allowed-registries-for-import <registry_name:insecure> \
   --registry-config-additional-trusted-ca <additional_trusted_ca_file>
    Copy to Clipboard Toggle word wrap

    Example output

    ? Changing any registry related parameter will trigger a rollout across all machinepools
(all machinepool nodes will be recreated, following pod draining from each node).
Do you want to proceed? Yes
I: Updated cluster '<cluster_name>'
    Copy to Clipboard Toggle word wrap

Verification

  • Run the rosa describe command again, to see if the changes you made to your image registry updated by running the following command: 

    $ rosa describe cluster --cluster=<cluster_name>
    Copy to Clipboard Toggle word wrap

    Example output

    Name:                       rosa-hcp-test
Domain Prefix:              rosa-hcp-test
Display Name:               rosa-hcp-test
ID:                         <cluster_hcp_id>
External ID:                <cluster_hcp_id>
Control Plane:              ROSA Service Hosted
OpenShift Version:          4.Y.Z
Channel Group:              stable
DNS:                        <dns>
AWS Account:                <aws_id>
AWS Billing Account:        <aws_id>
API URL:                    <ocm_api>
Console URL:
Region:                     us-east-1
Availability:
 - Control Plane:           MultiAZ
 - Data Plane:              SingleAZ

Nodes:
 - Compute (desired):       2
 - Compute (current):       2
Network:
 - Type:                    OVNKubernetes
 - Service CIDR:            <service_cidr>
 - Machine CIDR:            <machine_cidr>
 - Pod CIDR:                <pod_cidr>
 - Host Prefix:             /23
 - Subnets:                 <subnet_ids>
EC2 Metadata Http Tokens:   optional
Role (STS) ARN:             arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role
Support Role ARN:           arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role
Instance IAM Roles:
 - Worker:                  arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role
Operator IAM Roles:
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-kms-provider
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credent
 - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-cloud
Managed Policies:           Yes
State:                      ready
Private:                    No
Delete Protection:          Disabled
Created:                    Oct 01 2030 09:48:52 UTC
User Workload Monitoring:   Enabled
OIDC Endpoint URL:          https://<endpoint> (Managed)
Audit Log Forwarding:       Disabled
External Authentication:    Disabled
Etcd Encryption:            Disabled
Registry Configuration:
 - Allowed Registries: <allowed_registry>
 - Insecure Registries: <insecure_registry>
 - Allowed Registries for Import:
    - Domain Name: <domain_name>
    - Insecure: true
 - Platform Allowlist: <platform_allowlist_id>
    - Registries:      <list_of_registries>
 - Additional Trusted CA:
    - <registry_name> : REDACTED
    Copy to Clipboard Toggle word wrap

    where:

    Allowed Registries
    A comma-separated list of registries for which image pull and push actions are allowed.
    Blocked Registries
    A comma-separated list of registries for which image pull and push actions are blocked. Parameters allowedRegistries, blockedRegistries are mutually exclusive.
    Insecure Registries
    A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.
    Allowed Registries for Import
    Limits the container image registries from which normal users can import images. The format should be a comma-separated list of domainName:insecure.
    domainName
    Specifies a domain name for the registry.
    insecure
    Indicates whether the registry is secure or insecure.
    Platform Allowlist
    A reference to the id of the list of registries that needs to be whitelisted for the platform to work.
    Registries
    The list of registries that needs to be whitelisted for the platform to work.
    Additional Trusted CA
    A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.

A list of Red Hat registries is automatically allowed and it is visible when running rosa describe cluster. This list can be periodically updated to ensure platform can be operated correctly. Impacted clusters will receive a notification with the new allowlist ID. In such cases, the user must use this parameter to update from the previous expected ID to the newly expected ID.

Procedure

  • Update or edit the image registry for the cluster by running the following command: 

    $ rosa edit cluster --registry-config-platform-allowlist <newID>
    Copy to Clipboard Toggle word wrap

You can configure an existing Red Hat OpenShift Service on AWS cluster to pull images from a mirrored registry by using the ImageDigestMirrorSet (IDMS) object.

Important

The image mirror configuration feature operates exclusively with image references by digest, meaning that image mirroring will only activate when an image is pulled using its unique and immutable ID. Any image references using a mutable tag are currently not supported by this functionality.

IDMS defines a set of cluster-wide policies for registry mirroring that makes image downloads faster, more reliable and more secure. It works by intercepting any image pull request that identifies an image by its unique, content-addressable digest. Based on these policies, the IDMS transparently redirects the pull operation from its specified source registry to one or more designated mirror registries. For the developer, this means their request—still pointing to the original source—is automatically fulfilled by a faster, closer mirror, significantly improving deployment speed without requiring any changes to their workflow.

Prerequisites

To configure an existing Red Hat OpenShift Service on AWS cluster to pull images from a mirrored registry by using the ImageDigestMirrorSet (IDMS) object, you must meet the following prerequisites:

  • You have installed and configured the latest ROSA command-line interface (CLI) (rosa) on your installation host.
  • You have installed a Red Hat OpenShift Service on AWS cluster.
  • The Red Hat OpenShift Service on AWS cluster must be in a Ready state to create, edit, list, or delete image mirrors.
  • You have access to the mirror registries you want to configure.
  • You have the required IAM permissions to manage cluster configurations. For more information, see "About IAM resources" in the Additional resources section.

The benefits of configuring your Red Hat OpenShift Service on AWS cluster to pull images from a mirrored registry using IDMS include:

  • Enhanced Security: By forcing image pulls from a private, mirrored registry, you can scan and approve all images for vulnerabilities before they ever enter your cluster.
  • Improved Cluster Reliability: A local mirror guarantees stable and predictable cluster performance by eliminating reliance on public internet pathways.
  • Guaranteed Image Consistency: IDMS uses image digests to reference images, which ensures that every node in the cluster pulls the same version of an image, preventing inconsistencies which could lead to deployment failures.

9.4.1. Creating an image mirror configuration
Copy link

You can create an image mirror configuration for a Red Hat OpenShift Service on AWS cluster with the ROSA command-line interface (CLI) (rosa) tool.

Important

The source registry cannot be modified after creation. You must delete and recreate the image mirror to change the source.

Procedure

  • Run the following command to create an image mirror configuration: 

    $ rosa create image-mirror [arguments]
    Copy to Clipboard Toggle word wrap
    Expand
    Table 9.1. Arguments
    OptionDefinition

    --cluster

    Required: The name or ID of the cluster the mirror configuration will be applied to.

    --source

    Required: The source registry that will be mirrored.

    --mirrors

    Required: List of mirror registries. Mirror registries must be comma-separated.

    --type=digest

    Optional: Type of image mirror. The digest type is set by default and the only available type option.

    --profile

    Optional: Specifies an AWS profile (string) from your credentials file.

    --region

    Optional:Specifies an AWS region, overriding the AWS_REGION environment variable.

    Examples

    Creates an image mirror configuration for a cluster named mycluster. 

    $ rosa create image-mirror --cluster=mycluster \
  --source=registry.example.com/team \
  --mirrors=mirror.corp.com/team,backup.corp.com/team
    Copy to Clipboard Toggle word wrap

    Example Output

    I: Image mirror with ID 'abc123def456' has been created on cluster 'mycluster'
I: Source: registry.example.com/team
I: Mirrors: [mirror.corp.com/team backup.corp.com/team]
    Copy to Clipboard Toggle word wrap

    Note

    An ID is automatically generated and assigned to an image mirror during image mirror configuration creation.

  • Run the following command to create an image mirror configuration with a specific type: 

    $ rosa create image-mirror --cluster=mycluster \
  --type=digest --source=docker.io/library \
  --mirrors=internal-registry.company.com/dockerhub
    Copy to Clipboard Toggle word wrap
    Note

    The digest type is set by default and the only available type option.

  • Run the following command to create a single image mirror configuration with multiple mirrors for a cluster: 

    $ rosa create image-mirror --cluster=mycluster \
  --source=quay.io/openshift \
  --mirrors=mirror1.company.com/openshift,mirror2.company.com/openshift,mirror3.company.com/openshift
    Copy to Clipboard Toggle word wrap

9.4.2. Editing an image mirroring configuration
Copy link

You can edit an image mirror configuration for a Red Hat OpenShift Service on AWS cluster with the ROSA command-line interface (CLI) (rosa) tool.

Note

When editing an image mirror configuration, the new mirrors list completely replaces the existing mirrors list.

Procedure

  1. Run the following command to edit an image mirror configuration: 

    $ rosa edit image-mirror [arguments]
    Copy to Clipboard Toggle word wrap
    Expand
    Table 9.2. Arguments
    OptionDefinition

    --cluster

    Required: The name or ID (string) of the cluster to which the image mirror configuration applies.

    --mirrors

    Required: New list of mirror registries that replaces current mirror registries. Mirror registries must be comma-separated.

    --id

    Required: ID of the image mirror configuration to edit.

    --profile

    Optional: Use a specific AWS profile from your credential file.

    --region

    Optional: Use a specific AWS region, overriding the AWS_REGION environment variable.

  2. Run the following command to replace a single mirror on an image mirror configuration: 

    $ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \
  --mirrors=single-mirror.company.com/team
    Copy to Clipboard Toggle word wrap

    Example Output

    I: Image mirror 'abc123def456' has been updated on cluster 'mycluster'
I: Source: registry.example.com/team
I: Updated mirrors: [mirror.corp.com/team backup.corp.com/team new-mirror.corp.com/team]
    Copy to Clipboard Toggle word wrap

  3. Run the following command to replace all mirrors on an image mirror configuration: 

    $ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \
  --mirrors=new-primary.company.com/team,new-secondary.company.com/team
    Copy to Clipboard Toggle word wrap

9.4.3. Listing all image mirror configurations
Copy link

You can list all image mirror configurations from a Red Hat OpenShift Service on AWS cluster with the ROSA command-line interface (CLI) (rosa).

Procedure

  1. Run the following command to list all image mirror configurations for a Red Hat OpenShift Service on AWS cluster: 

    $ rosa list image-mirrors [arguments]
    Copy to Clipboard Toggle word wrap
    Expand
    Table 9.3. Arguments

    Option

    Definition

    --cluster

    Required: Name or ID of the cluster.

    --output

    Optional: Output format. Allowed formats are json, yaml

    --profile

    Optional: Use a specific AWS profile from your credential file.

    --region

    Optional: Use a specific AWS region, overriding the AWS_REGION environment variable.

  2. Run the following command to list all image mirror configurations for a cluster: 

    $ rosa list image-mirrors --cluster=mycluster
    Copy to Clipboard Toggle word wrap

    Example Outputs

    ID              TYPE    SOURCE                    MIRRORS
abc123def456    digest  registry.example.com/team mirror.corp.com/team, backup.corp.com/
    Copy to Clipboard Toggle word wrap

9.4.4. Deleting an image mirror configuration
Copy link

You can delete an image mirror configuration from a Red Hat OpenShift Service on AWS cluster with the ROSA command-line interface (CLI) (rosa).

Note

Delete operations require confirmation unless the --yes or --y argument is used.

Procedure

  1. Run the following command to delete an image mirror configuration from a Red Hat OpenShift Service on AWS cluster: 

    $ rosa delete image-mirror [arguments]
    Copy to Clipboard Toggle word wrap
    Expand
    Table 9.4. Arguments
    OptionDefinition

    --cluster

    Required: The name or ID (string) of the cluster that the image mirror configuration will be deleted from.

    --id

    Required: ID of the image mirror configuration to delete.

    --yes, -y

    Optional: Automatically answers "yes" to confirm deletion.

    --profile

    Optional: Use a specific AWS profile from your credential file.

    --region

    Optional: Use a specific AWS region, overriding the AWS_REGION environment variable.

    Examples

    Deletes an image mirror configuration without a confirmation prompt. 

    $ rosa delete image-mirror --cluster=mycluster abc123def456 --yes
    Copy to Clipboard Toggle word wrap

    Example Output

    I: Image mirror 'abc123def456' has been deleted from cluster 'mycluster'
    Copy to Clipboard Toggle word wrap

  2. Run the following command to deletes an image mirror configuration with a confirmation prompt: 

    $ rosa delete image-mirror --cluster=mycluster --id=abc123def456
    Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top