Red Hat SummitChapter 9. Image configuration resources
Use the following procedure to configure image registries.
9.1. Image controller configuration parameters for Red Hat OpenShift Service on AWS
The image.config.openshift.io/cluster resource holds cluster-wide information about how to handle images. The resource exists, but it is read only and can only be changed through supported tools like the ROSA CLI (rosa). The canonical and only valid name is cluster. It can be configured in Red Hat OpenShift Service on AWS through rosa commands.
Parameters such as DisableScheduledImport, MaxImagesBulkImportedPerRepository, MaxScheduledImportsPerMinute, ScheduledImageImportMinimumIntervalSeconds, InternalRegistryHostname are not configurable.
| Parameters for ROSA CLI | Description |
|---|---|
|
|
Registries for which image pull and push actions are allowed. To specify all subdomains, add the asterisk ( |
|
|
Registries which do not have a valid TLS certificate or only support HTTP connections. To specify all subdomains, add the asterisk ( |
|
|
Registries for which image pull and push actions are denied. To specify all subdomains, add the asterisk ( |
|
|
Contains configuration that determines how the container runtime should treat individual registries when accessing images for builds and pods. For example, whether or not to allow insecure access. It does not contain configuration for the internal cluster registry. Limits the container image registries from which normal users can import images. The format should be a comma-separated list of |
|
| A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust. |
When the allowedRegistries parameter is defined, all registries are blocked unless explicitly listed. To prevent pod failure, a list of Red Hat registries is automatically whitelisted, as they are required by payload images within your environment. The current list consists of image-registry.openshift-image-registry.svc:5000,quay.io,registry.redhat.io and it is also visible when running the rosa describe cluster command.
9.2. Configuring image registry settings for Red Hat OpenShift Service on AWS
You can configure image registry settings at cluster creation. The cluster’s nodes will use the required configuration after creation.
Procedure
Create Red Hat OpenShift Service on AWS clusters with image registry by running the following command:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow NoteWhen using the
allowedRegistries,blockedRegistries, orinsecureRegistriesparameter, you can specify an individual repository within a registry. For example:reg1.io/myrepo/myapp:latest.Avoid insecure external registries to reduce possible security risks. Parameters
allowedRegistries,blockedRegistriesare mutually exclusive.
Verification
Run the
rosa describecommand to verify that your image registry is enabled by running the following command:rosa describe cluster --cluster=<cluster_name>
$ rosa describe cluster --cluster=<cluster_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
Allowed Registries: A comma-separated list of registries for which image pull and push actions are allowed.- 2
Blocked Registries: A comma-separated list of registries for which image pull and push actions are blocked. ParametersallowedRegistries,blockedRegistriesare mutually exclusive.- 3
Insecure Registries: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.- 4
Allowed Registries for Import: Limits the container image registries from which normal users can import images. The format should be a comma-separated list ofdomainName:insecure.- 5
domainName: Specifies a domain name for the registry.- 6
insecure: Indicates whether the registry is secure or insecure.- 7
Platform Allowlist: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.- 8
Registries: The list of registries that needs to be whitelisted for the platform to work.- 9
Additional Trusted CA: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
List your nodes to check the applied changes by running the following command:
oc get nodes
$ oc get nodesCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
NAME STATUS ROLES AGE VERSION ip-10-0-137-182.us-east-2.compute.internal Ready,SchedulingDisabled worker 65m v1.32.3 ip-10-0-188-96.us-east-2.compute.internal Ready worker 65m v1.32.3 ip-10-0-200-59.us-east-2.compute.internal Ready worker 63m v1.32.3
NAME STATUS ROLES AGE VERSION ip-10-0-137-182.us-east-2.compute.internal Ready,SchedulingDisabled worker 65m v1.32.3 ip-10-0-188-96.us-east-2.compute.internal Ready worker 65m v1.32.3 ip-10-0-200-59.us-east-2.compute.internal Ready worker 63m v1.32.3Copy to Clipboard Copied! Toggle word wrap Toggle overflow
9.3. Editing image registry settings for Red Hat OpenShift Service on AWS
You can change the image registry config with the rosa edit command.
When the allowedRegistries parameter is defined, all registries are blocked unless explicitly listed. To prevent pod failure, a list of Red Hat registries is automatically whitelisted, as they are required by payload images within your environment. The current list consists of image-registry.openshift-image-registry.svc:5000,quay.io,registry.redhat.io and it is also visible when running the rosa describe cluster command.
You can change any registry-related parameter, which will trigger a rollout across all machine pools; all machine pool nodes will be recreated, following pod draining from each node.
Procedure
Update or edit the image registry for the cluster by running the following command:
rosa edit cluster --registry-config-insecure-registries <insecure_registries> \ --registry-config-allowed-registries <allowed_registries> \ --registry-config-allowed-registries-for-import <registry_name:insecure> \ --registry-config-additional-trusted-ca <additional_trusted_ca_file>
$ rosa edit cluster --registry-config-insecure-registries <insecure_registries> \ --registry-config-allowed-registries <allowed_registries> \ --registry-config-allowed-registries-for-import <registry_name:insecure> \ --registry-config-additional-trusted-ca <additional_trusted_ca_file>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
? Changing any registry related parameter will trigger a rollout across all machinepools (all machinepool nodes will be recreated, following pod draining from each node). Do you want to proceed? Yes I: Updated cluster '<cluster_name>'
? Changing any registry related parameter will trigger a rollout across all machinepools (all machinepool nodes will be recreated, following pod draining from each node). Do you want to proceed? Yes I: Updated cluster '<cluster_name>'Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Run the
rosa describecommand again, to see if the changes you made to your image registry updated by running the following command:rosa describe cluster --cluster=<cluster_name>
$ rosa describe cluster --cluster=<cluster_name>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
Allowed Registries: A comma-separated list of registries for which image pull and push actions are allowed.- 2
Blocked Registries: A comma-separated list of registries for which image pull and push actions are blocked. ParametersallowedRegistries,blockedRegistriesare mutually exclusive.- 3
Insecure Registries: A comma-separated list of registries which do not have a valid TLS certificate or only support HTTP connections.- 4
Allowed Registries for Import: Limits the container image registries from which normal users can import images. The format should be a comma-separated list ofdomainName:insecure.- 5
domainName: Specifies a domain name for the registry.- 6
insecure: Indicates whether the registry is secure or insecure.- 7
Platform Allowlist: A reference to the id of the list of registries that needs to be whitelisted for the platform to work.- 8
Registries: The list of registries that needs to be whitelisted for the platform to work.- 9
Additional Trusted CA: A JSON file containing the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust.
9.3.1. Updating platform allowlist for Red Hat OpenShift Service on AWS
A list of Red Hat registries is automatically allowed and it is visible when running rosa describe cluster. This list can be periodically updated to ensure platform can be operated correctly. Impacted clusters will receive a notification with the new allowlist ID. In such cases, the user must use this parameter to update from the previous expected ID to the newly expected ID. Update or edit the image registry for the cluster by running the following command:
rosa edit cluster --registry-config-platform-allowlist <newID>
$ rosa edit cluster --registry-config-platform-allowlist <newID>9.4. Image registry mirroring for Red Hat OpenShift Service on AWS
You can configure an existing Red Hat OpenShift Service on AWS cluster to pull images from a mirrored registry by using the ImageDigestMirrorSet (IDMS) object.
The image mirror configuration feature operates exclusively with image references by digest, meaning that image mirroring will only activate when an image is pulled using its unique and immutable ID. Any image references using a mutable tag are currently not supported by this functionality.
IDMS defines a set of cluster-wide policies for registry mirroring that makes image downloads faster, more reliable and more secure. It works by intercepting any image pull request that identifies an image by its unique, content-addressable digest. Based on these policies, the IDMS transparently redirects the pull operation from its specified source registry to one or more designated mirror registries. For the developer, this means their request—still pointing to the original source—is automatically fulfilled by a faster, closer mirror, significantly improving deployment speed without requiring any changes to their workflow.
Prerequisites
To configure an existing Red Hat OpenShift Service on AWS cluster to pull images from a mirrored registry by using the ImageDigestMirrorSet (IDMS) object, you must meet the following prerequisites:
-
You have installed and configured the latest ROSA command-line interface (CLI) (
rosa) on your installation host. - You have installed a Red Hat OpenShift Service on AWS cluster.
- The Red Hat OpenShift Service on AWS cluster must be in a Ready state to create, edit, list, or delete image mirrors.
- You have access to the mirror registries you want to configure.
- You have the required IAM permissions to manage cluster configurations. For more information, see "About IAM resources" in the Additional resources section.
The benefits of configuring your Red Hat OpenShift Service on AWS cluster to pull images from a mirrored registry using IDMS include:
- Enhanced Security: By forcing image pulls from a private, mirrored registry, you can scan and approve all images for vulnerabilities before they ever enter your cluster.
- Improved Cluster Reliability: A local mirror guarantees stable and predictable cluster performance by eliminating reliance on public internet pathways.
- Guaranteed Image Consistency: IDMS uses image digests to reference images, which ensures that every node in the cluster pulls the same version of an image, preventing inconsistencies which could lead to deployment failures.
9.4.1. Creating an image mirror configuration
Procedure
To create an image mirror configuration for a Red Hat OpenShift Service on AWS cluster, run the following command:
The source registry cannot be modified after creation. You must delete and recreate the image mirror to change the source.
Syntax
rosa create image-mirror [arguments]
$ rosa create image-mirror [arguments]| Option | Definition |
|---|---|
| --cluster | Required: The name or ID of the cluster the mirror configuration will be applied to. |
| --source | Required: The source registry that will be mirrored. |
| --mirrors | Required: List of mirror registries. Mirror registries must be comma-separated. |
| --type=digest |
Optional: Type of image mirror. The |
| --profile | Optional: Specifies an AWS profile (string) from your credentials file. |
| --region | Optional:Specifies an AWS region, overriding the AWS_REGION environment variable. |
Examples
Creates an image mirror configuration for a cluster named mycluster.
rosa create image-mirror --cluster=mycluster \ --source=registry.example.com/team \ --mirrors=mirror.corp.com/team,backup.corp.com/team
$ rosa create image-mirror --cluster=mycluster \
--source=registry.example.com/team \
--mirrors=mirror.corp.com/team,backup.corp.com/teamExample Output
I: Image mirror with ID 'abc123def456' has been created on cluster 'mycluster' I: Source: registry.example.com/team I: Mirrors: [mirror.corp.com/team backup.corp.com/team]
I: Image mirror with ID 'abc123def456' has been created on cluster 'mycluster'
I: Source: registry.example.com/team
I: Mirrors: [mirror.corp.com/team backup.corp.com/team]An ID is automatically generated and assigned to an image mirror during image mirror configuration creation.
Creates an image mirror configuration with a specific type.
The digest type is set by default and the only available type option.
rosa create image-mirror --cluster=mycluster \ --type=digest --source=docker.io/library \ --mirrors=internal-registry.company.com/dockerhub
$ rosa create image-mirror --cluster=mycluster \
--type=digest --source=docker.io/library \
--mirrors=internal-registry.company.com/dockerhubCreating a single image mirror configuration with multiple mirrors for a cluster.
rosa create image-mirror --cluster=mycluster \ --source=quay.io/openshift \ --mirrors=mirror1.company.com/openshift,mirror2.company.com/openshift,mirror3.company.com/openshift
$ rosa create image-mirror --cluster=mycluster \
--source=quay.io/openshift \
--mirrors=mirror1.company.com/openshift,mirror2.company.com/openshift,mirror3.company.com/openshift9.4.2. Editing an image mirroring configuration
Procedure
To edit an image mirror configuration for a Red Hat OpenShift Service on AWS cluster, run the following command:
When editing an image mirror configuration, the new mirrors list completely replaces the existing mirrors list.
Syntax
rosa edit image-mirror [arguments]
$ rosa edit image-mirror [arguments]| Option | Definition |
|---|---|
| --cluster | Required: The name or ID (string) of the cluster to which the image mirror configuration applies. |
| --mirrors | Required: New list of mirror registries that replaces current mirror registries. Mirror registries must be comma-separated. |
| --id | Required: ID of the image mirror configuration to edit. |
| --profile | Optional: Use a specific AWS profile from your credential file. |
| --region | Optional: Use a specific AWS region, overriding the AWS_REGION environment variable. |
Examples
Replaces a single mirror on an image mirror configuration.
rosa edit image-mirror --cluster=mycluster --id=abc123def456 \ --mirrors=single-mirror.company.com/team
$ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \
--mirrors=single-mirror.company.com/teamExample Output
I: Image mirror 'abc123def456' has been updated on cluster 'mycluster' I: Source: registry.example.com/team I: Updated mirrors: [mirror.corp.com/team backup.corp.com/team new-mirror.corp.com/team]
I: Image mirror 'abc123def456' has been updated on cluster 'mycluster'
I: Source: registry.example.com/team
I: Updated mirrors: [mirror.corp.com/team backup.corp.com/team new-mirror.corp.com/team]Replaces all mirrors on an image mirror configuration.
rosa edit image-mirror --cluster=mycluster --id=abc123def456 \ --mirrors=new-primary.company.com/team,new-secondary.company.com/team
$ rosa edit image-mirror --cluster=mycluster --id=abc123def456 \
--mirrors=new-primary.company.com/team,new-secondary.company.com/team9.4.3. Listing all image mirror configurations
Procedure
To list all image mirror configurations for a Red Hat OpenShift Service on AWS cluster, run the following command:
Syntax
rosa list image-mirrors [arguments]
$ rosa list image-mirrors [arguments]| Option | Definition |
|---|---|
| --cluster | Required: Name or ID of the cluster. |
| --output |
Optional: Output format. Allowed formats are |
| --profile | Optional: Use a specific AWS profile from your credential file. |
| --region | Optional: Use a specific AWS region, overriding the AWS_REGION environment variable. |
Example
Lists all image mirror configurations for a cluster.
rosa list image-mirrors --cluster=mycluster
$ rosa list image-mirrors --cluster=myclusterExample Outputs
ID TYPE SOURCE MIRRORS abc123def456 digest registry.example.com/team mirror.corp.com/team, backup.corp.com/
ID TYPE SOURCE MIRRORS
abc123def456 digest registry.example.com/team mirror.corp.com/team, backup.corp.com/9.4.4. Deleting an image mirror configuration
Delete operations require confirmation unless the --yes or --y argument is used.
Procedure
To delete an image mirror configuration from a Red Hat OpenShift Service on AWS cluster, run the following command:
Syntax
rosa delete image-mirror [arguments]
$ rosa delete image-mirror [arguments]| Option | Definition |
|---|---|
| --cluster | Required: The name or ID (string) of the cluster that the image mirror configuration will be deleted from. |
| --id | Required: ID of the image mirror configuration to delete. |
|
| Optional: Automatically answers "yes" to confirm deletion. |
| --profile | Optional: Use a specific AWS profile from your credential file. |
| --region | Optional: Use a specific AWS region, overriding the AWS_REGION environment variable. |
Examples
Deletes an image mirror configuration without a confirmation prompt.
rosa delete image-mirror --cluster=mycluster abc123def456 --yes
$ rosa delete image-mirror --cluster=mycluster abc123def456 --yesExample Output
I: Image mirror 'abc123def456' has been deleted from cluster 'mycluster'
I: Image mirror 'abc123def456' has been deleted from cluster 'mycluster'Deletes an image mirror configuration with a confirmation prompt.
rosa delete image-mirror --cluster=mycluster --id=abc123def456
$ rosa delete image-mirror --cluster=mycluster --id=abc123def456
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}