10.2. 为使用 HCP 的 ROSA 配置镜像 registry 设置
您可以在集群创建时配置镜像 registry 设置。集群节点在创建后将使用所需的配置。
流程
运行以下命令,使用镜像 registry 创建带有 HCP 集群的 ROSA:
$ rosa create cluster —cluster-name=<cluster_name> --sts --mode=auto \ --hosted-cp --operator-roles-prefix <operator_role_prefix> \ --oidc-config-id <id_of_oidc_configuration> \ --subnet-ids=<public_subnet_id>,<private_subnet_id> \ --registry-config-insecure-registries <insecure_registries> \ --registry-config-allowed-registries <allowed_registries> \ --registry-config-allowed-registries-for-import <registry_name:insecure> \ --registry-config-additional-trusted-ca <additional_trusted_ca_file>
注意使用
allowedRegistries、blockedRegistries或insecureRegistries参数时,您可以在 registry 中指定单独的存储库。例如:reg1.io/myrepo/myapp:latest。避免不安全的外部 registry,以减少可能的安全风险。
allowedRegistries,blockedRegistries参数是互斥的。
验证
运行以下命令,运行
rosa describe命令来验证您的镜像 registry 是否已启用:$ rosa describe cluster --cluster=<cluster_name>
输出示例
Name: rosa-hcp-test Domain Prefix: rosa-hcp-test Display Name: rosa-hcp-test ID: <cluster_hcp_id> External ID: <cluster_hcp_id> Control Plane: ROSA Service Hosted OpenShift Version: 4.Y.Z Channel Group: stable DNS: <dns> AWS Account: <aws_id> AWS Billing Account: <aws_id> API URL: <ocm_api> Console URL: Region: us-east-1 Availability: - Control Plane: MultiAZ - Data Plane: SingleAZ Nodes: - Compute (desired): 2 - Compute (current): 2 Network: - Type: OVNKubernetes - Service CIDR: <service_cidr> - Machine CIDR: <machine_cidr> - Pod CIDR: <pod_cidr> - Host Prefix: /23 - Subnets: <subnet_ids> EC2 Metadata Http Tokens: optional Role (STS) ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role Support Role ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role Instance IAM Roles: - Worker: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role Operator IAM Roles: - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-kms-provider - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credent - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-cloud Managed Policies: Yes State: ready Private: No Delete Protection: Disabled Created: Oct 01 2030 09:48:52 UTC User Workload Monitoring: Enabled OIDC Endpoint URL: https://<endpoint> (Managed) Audit Log Forwarding: Disabled External Authentication: Disabled Etcd Encryption: Disabled Registry Configuration: - Allowed Registries: <allowed_registry> 1 2 - Insecure Registries: <insecure_registry> 3 - Allowed Registries for Import: 4 - Domain Name: <domain_name> 5 - Insecure: true 6 - Platform Allowlist: <platform_allowlist_id> 7 - Registries: <list_of_registries> 8 - Additional Trusted CA: 9 - <registry_name> : REDACTED
- 1
- allowed
Registries : 允许镜像拉取(pull)和推送(push)操作的 registry 的逗号分隔列表。 - 2
- blocked
Registries:阻止镜像拉取(pull)和推送(push)操作的 registry 的逗号分隔列表。allowedRegistries,blockedRegistries参数是互斥的。 - 3
insecure Registries: 以逗号分隔的 registry 列表,它们没有有效的 TLS 证书或只支持 HTTP 连接。- 4
允许导入 registry:限制普通用户可从中导入镜像的容器镜像 registry。格式应该是以逗号分隔的domainName:insecure列表。- 5
domainname:指定 registry 的域名。- 6
insecure:指示 registry 是否安全。- 7
- platform Allowlist : 引用需要白名单使
平台正常工作的 registry 列表中的 id。 - 8
Registry: 需要将平台列入白名单的 registry 列表,以便平台正常工作。- 9
Additional Trusted CA: 包含 registry 主机名作为键的 JSON 文件,以及 PEM 编码证书作为值,用于每个要信任的额外 registry CA。
运行以下命令,列出节点以检查应用的更改:
$ oc get nodes
输出示例
NAME STATUS ROLES AGE VERSION ip-10-0-137-182.us-east-2.compute.internal Ready,SchedulingDisabled worker 65m v1.30.3 ip-10-0-188-96.us-east-2.compute.internal Ready worker 65m v1.30.3 ip-10-0-200-59.us-east-2.compute.internal Ready worker 63m v1.30.3
