10.3. 使用 HCP 编辑 ROSA 的镜像 registry 设置
您可以使用 rosa edit 命令更改镜像 registry 配置。
警告
当定义 allowedRegistries 参数时,除非明确列出,否则所有 registry 都会被阻断。为防止 pod 失败,会自动将红帽 registry 列表列入白名单,因为环境中有效负载镜像需要它们。当前列表由 image-registry.openshift-image-registry.svc:5000,quay.io,registry.redhat.io 组成,在运行 rosa describe cluster 命令时也可见。
注意
您可以更改任何与 registry 相关的参数,该参数将在所有机器池中触发推出部署 ; 所有机器池节点都将被重新创建,按照从每个节点排空 pod 后重新创建所有机器池。
流程
运行以下命令,为集群更新或编辑镜像 registry:
$ rosa edit cluster --registry-config-insecure-registries <insecure_registries> \ --registry-config-allowed-registries <allowed_registries> \ --registry-config-allowed-registries-for-import <registry_name:insecure> \ --registry-config-additional-trusted-ca <additional_trusted_ca_file>
输出示例
? Changing any registry related parameter will trigger a rollout across all machinepools (all machinepool nodes will be recreated, following pod draining from each node). Do you want to proceed? Yes I: Updated cluster '<cluster_name>'
验证
再次运行
rosa describe命令,运行以下命令来查看您对镜像 registry 所做的更改是否更新:$ rosa describe cluster --cluster=<cluster_name>
输出示例
Name: rosa-hcp-test Domain Prefix: rosa-hcp-test Display Name: rosa-hcp-test ID: <cluster_hcp_id> External ID: <cluster_hcp_id> Control Plane: ROSA Service Hosted OpenShift Version: 4.Y.Z Channel Group: stable DNS: <dns> AWS Account: <aws_id> AWS Billing Account: <aws_id> API URL: <ocm_api> Console URL: Region: us-east-1 Availability: - Control Plane: MultiAZ - Data Plane: SingleAZ Nodes: - Compute (desired): 2 - Compute (current): 2 Network: - Type: OVNKubernetes - Service CIDR: <service_cidr> - Machine CIDR: <machine_cidr> - Pod CIDR: <pod_cidr> - Host Prefix: /23 - Subnets: <subnet_ids> EC2 Metadata Http Tokens: optional Role (STS) ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role Support Role ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role Instance IAM Roles: - Worker: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role Operator IAM Roles: - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-kms-provider - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credent - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-cloud Managed Policies: Yes State: ready Private: No Delete Protection: Disabled Created: Oct 01 2030 09:48:52 UTC User Workload Monitoring: Enabled OIDC Endpoint URL: https://<endpoint> (Managed) Audit Log Forwarding: Disabled External Authentication: Disabled Etcd Encryption: Disabled Registry Configuration: - Allowed Registries: <allowed_registry> 1 2 - Insecure Registries: <insecure_registry> 3 - Allowed Registries for Import: 4 - Domain Name: <domain_name> 5 - Insecure: true 6 - Platform Allowlist: <platform_allowlist_id> 7 - Registries: <list_of_registries> 8 - Additional Trusted CA: 9 - <registry_name> : REDACTED
- 1
- allowed
Registries : 允许镜像拉取(pull)和推送(push)操作的 registry 的逗号分隔列表。 - 2
- blocked
Registries:阻止镜像拉取(pull)和推送(push)操作的 registry 的逗号分隔列表。allowedRegistries,blockedRegistries参数是互斥的。 - 3
insecure Registries: 以逗号分隔的 registry 列表,它们没有有效的 TLS 证书或只支持 HTTP 连接。- 4
允许导入 registry:限制普通用户可从中导入镜像的容器镜像 registry。格式应该是以逗号分隔的domainName:insecure列表。- 5
domainname:指定 registry 的域名。- 6
insecure:指示 registry 是否安全。- 7
- platform Allowlist : 引用需要白名单使
平台正常工作的 registry 列表中的 id。 - 8
Registry: 需要将平台列入白名单的 registry 列表,以便平台正常工作。- 9
Additional Trusted CA: 包含 registry 主机名作为键的 JSON 文件,以及 PEM 编码证书作为值,用于每个要信任的额外 registry CA。
10.3.1. 为使用 HCP 的 ROSA 更新平台允许列表
允许红帽 registry 列表,并在运行 rosa describe 集群时可见。此列表可以定期更新,以确保可以正确处理平台。受影响的集群将收到带有新允许列表 ID 的通知。在这种情况下,用户必须使用此参数从之前预期的 ID 更新至新预期的 ID。运行以下命令,为集群更新或编辑镜像 registry:
$ rosa edit cluster --registry-config-platform-allowlist <newID>
