主页
产品
OpenShift Container Platform
4.1
Images
Chapter 6. Image configuration resources

此内容没有您所选择的语言版本。

Chapter 6. Image configuration resources

Use the following procedure to configure image registries.

6.1. Image controller configuration parameters
复制链接

The image.config.openshift.io/cluster resource offers the following configuration parameters.

Expand

Parameter	Description
`Image`	Holds cluster-wide information about how to handle images. The canonical, and only valid name is `cluster`. `spec`: Holds user-settable values for configuration. You can edit the `spec` subsection. `status`: Holds observed values from the cluster.
`ImageSpec`	`allowedRegistriesForImport`: Limits the container image registries from which normal users may import images. Set this list to the registries that you trust to contain valid images, and that you want applications to be able to import from. Users with permission to create images or `ImageStreamMappings` from the API are not affected by this policy. Typically only cluster administrators will have the appropriate permissions. `additionalTrustedCA`: A reference to a ConfigMap containing additional CAs that should be trusted during `ImageStream import`, `pod image pull`, `openshift-image-registry pullthrough`, and builds. The namespace for this ConfigMap is `openshift-config`. The format of the ConfigMap is to use the registry hostname as the key, and the PEM-encoded certificate as the value, for each additional registry CA to trust. `registrySources`: Contains configuration that determines how the container runtime should treat individual registries when accessing images for builds and pods. For instance, whether or not to allow insecure access. It does not contain configuration for the internal cluster registry.
`ImageStatus`	`internalRegistryHostname`: Set by the Image Registry Operator, which controls the `internalRegistryHostname`. It sets the hostname for the default internal image registry. The value must be in `hostname[:port]` format. For backward compatibility, you can still use the `OPENSHIFT_DEFAULT_REGISTRY` environment variable, but this setting overrides the environment variable. `externalRegistryHostnames`: Provides the hostnames for the default external image registry. The external hostname should be set only when the image registry is exposed externally. The first value is used in `publicDockerImageRepository` field in ImageStreams. The value must be in `hostname[:port]` format.
`RegistryLocation`	Contains a location of the registry specified by the registry domain name. The domain name might include wildcards. `domainName`: Specifies a domain name for the registry. In case the registry uses a non-standard (80 or 443) port, the port should be included in the domain name as well. `insecure`: Insecure indicates whether the registry is secure or insecure. By default, if not otherwise specified, the registry is assumed to be secure.
`RegistrySources`	Holds cluster-wide information about how to handle the registries config. `insecureRegistries`: Registries which do not have a valid TLS certificate or only support HTTP connections. `blockedRegistries`: Blacklisted for image pull and push actions. All other registries are allowed. `allowedRegistries`: Whitelisted for image pull and push actions. All other registries are blocked. Only one of `blockedRegistries` or `allowedRegistries` may be set

6.2. Configuring image settings
复制链接

You can configure image registry settings by editing the image.config.openshift.io/cluster resource. The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster`for any changes to registries and reboots the nodes when it detects changes.

Procedure

Edit the image.config.openshift.io/cluster custom resource:
```
oc edit image.config.openshift.io/cluster
```
```
$ oc edit image.config.openshift.io/cluster
```
Copy to Clipboard Toggle word wrap
The following is an example image.config.openshift.io/cluster resource:
```
apiVersion: config.openshift.io/v1
kind: Image
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2019-05-17T13:44:26Z"
  generation: 1
  name: cluster
  resourceVersion: "8302"
  selfLink: /apis/config.openshift.io/v1/images/cluster
  uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
spec:
  allowedRegistriesForImport:
    - domainName: quay.io
      insecure: false
  additionalTrustedCA:
    name: myconfigmap
  registrySources:
    insecureRegistries:
    - insecure.com
    blockedRegistries:
    - untrusted.com
status:
  internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
```
```
apiVersion: config.openshift.io/v1
kind: Image
```
1
```
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2019-05-17T13:44:26Z"
  generation: 1
  name: cluster
  resourceVersion: "8302"
  selfLink: /apis/config.openshift.io/v1/images/cluster
  uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
spec:
  allowedRegistriesForImport:
```
2
```
    - domainName: quay.io
      insecure: false
  additionalTrustedCA:
```
3
```
    name: myconfigmap
  registrySources:
```
4
```
    insecureRegistries:
```
5
```
    - insecure.com
    blockedRegistries:
```
6
```
    - untrusted.com
status:
  internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
```
Copy to Clipboard Toggle word wrap
1
Image: Holds cluster-wide information about how to handle images. The canonical, and only valid name is cluster.
2
allowedRegistriesForImport: Limits the container image registries from which normal users may import images. Set this list to the registries that you trust to contain valid images, and that you want applications to be able to import from. Users with permission to create images or ImageStreamMappings from the API are not affected by this policy. Typically only cluster administrators will have the appropriate permissions.
3
additionalTrustedCA: A reference to a ConfigMap containing additional CAs that should be trusted during ImageStream import, pod image pull, openshift-image-registry pullthrough, and builds. The namespace for this ConfigMap is openshift-config. The format of the ConfigMap is to use the registry hostname as the key, and the base64-encoded certificate as the value, for each additional registry CA to trust.
4
registrySources: Contains configuration that determines how the container runtime should treat individual registries when accessing images for builds and pods. For instance, whether or not to allow insecure access. It does not contain configuration for the internal cluster registry.
5
insecureRegistries: Registries which do not have a valid TLS certificate or only support HTTP connections.
6
blockedRegistries: Blacklisted for image pull and push actions. All other registries are allowed.

6.2.1. Importing insecure registries and blocking registries
复制链接

You can add insecure registries or block any registry by editing the image.config.openshift.io/cluster custom resource (CR). OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.

Insecure external registries, such as those do not have a valid TLS certificate or only support HTTP connections, should be avoided.

Procedure

Edit the image.config.openshift.io/cluster custom resource:

oc edit image.config.openshift.io/cluster

$ oc edit image.config.openshift.io/cluster

Copy to Clipboard

Toggle word wrap

The following is an example image.config.openshift.io/cluster resource:

apiVersion: config.openshift.io/v1
kind: Image
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2019-05-17T13:44:26Z"
  generation: 1
  name: cluster
  resourceVersion: "8302"
  selfLink: /apis/config.openshift.io/v1/images/cluster
  uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
spec:
  allowedRegistriesForImport:
    - domainName: quay.io
      insecure: false
  additionalTrustedCA:
    name: myconfigmap
  registrySources:
    insecureRegistries:
    - insecure.com
    blockedRegistries:
    - untrusted.com
status:
  internalRegistryHostname: image-registry.openshift-image-registry.svc:5000

apiVersion: config.openshift.io/v1
kind: Image
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2019-05-17T13:44:26Z"
  generation: 1
  name: cluster
  resourceVersion: "8302"
  selfLink: /apis/config.openshift.io/v1/images/cluster
  uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
spec:
  allowedRegistriesForImport:
    - domainName: quay.io
      insecure: false
  additionalTrustedCA:
    name: myconfigmap
  registrySources:
    insecureRegistries:


    - insecure.com
    blockedRegistries:


    - untrusted.com
status:
  internalRegistryHostname: image-registry.openshift-image-registry.svc:5000

Copy to Clipboard

Toggle word wrap

1: Specify an insecure registry.
2: Specify any registries that should be blacklisted for image pull and push actions. All other registries are allowed.

The Machine Config Operator (MCO) watches the image.config.openshift.io/cluster for any changes to registries and reboots the nodes when it detects changes. Changes to the registries appear in the /host/etc/containers/registries.conf file on each node.

cat /host/etc/containers/registries.conf
[registries]
  [registries.search]
    registries = ["registry.access.redhat.com", "docker.io"]
  [registries.insecure]
    registries = ["insecure.com"]
  [registries.block]
    registries = ["untrusted.com"]

cat /host/etc/containers/registries.conf
[registries]
  [registries.search]
    registries = ["registry.access.redhat.com", "docker.io"]
  [registries.insecure]
    registries = ["insecure.com"]
  [registries.block]
    registries = ["untrusted.com"]

Copy to Clipboard

Toggle word wrap

返回顶部

此内容没有您所选择的语言版本。

Chapter 6. Image configuration resources

6.1. Image controller configuration parameters
复制链接

6.2. Configuring image settings
复制链接

6.2.1. Importing insecure registries and blocking registries
复制链接

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

此内容没有您所选择的语言版本。

Chapter 6. Image configuration resources

6.1. Image controller configuration parameters复制链接链接已复制到粘贴板!

6.2. Configuring image settings复制链接链接已复制到粘贴板!

6.2.1. Importing insecure registries and blocking registries复制链接链接已复制到粘贴板!

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

6.1. Image controller configuration parameters
复制链接

6.2. Configuring image settings
复制链接

6.2.1. Importing insecure registries and blocking registries
复制链接