openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/images-configuration-blocked.adoc
“Shauna Diaz” 40f2e32d41 OSDOCS-16880-2-421: CQAIMG-2 manual CP
2025-12-03 11:25:40 -05:00

110 lines
3.1 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * openshift_images/image-configuration.adoc
:_mod-docs-content-type: PROCEDURE
[id="images-configuration-blocked_{context}"]
= Blocking specific registries
[role="_abstract"]
You can block any registry, or an individual repository, within a registry by editing the `image.config.openshift.io/cluster` custom resource (CR).
{product-title} applies the changes to this CR to all nodes in the cluster.
When pulling or pushing images, the container runtime searches the registries listed under the `registrySources` parameter in the `image.config.openshift.io/cluster` CR. If you created a list of registries under the `blockedRegistries` parameter, the container runtime does not search those registries. All other registries are allowed.
[WARNING]
====
To prevent pod failure, do not add the `registry.redhat.io` and `quay.io` registries to the `blockedRegistries` list. Payload images within your environment require access to these registries.
====
//how does this work for mirror registries?
.Procedure
* Edit the `image.config.openshift.io/cluster` custom resource by running the following command:
+
[source,terminal]
----
$ oc edit image.config.openshift.io/cluster
----
+
The following is an example `image.config.openshift.io/cluster` CR with a blocked list:
+
[source,yaml]
----
apiVersion: config.openshift.io/v1
kind: Image
metadata:
annotations:
release.openshift.io/create-only: "true"
creationTimestamp: "2019-05-17T13:44:26Z"
generation: 1
name: cluster
resourceVersion: "8302"
selfLink: /apis/config.openshift.io/v1/images/cluster
uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
spec:
registrySources:
blockedRegistries:
- untrusted.com
- reg1.io/myrepo/myapp:latest
status:
internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
----
+
You cannot set both the `blockedRegistries` and `allowedRegistries` parameters. You must select one or the other.
ifndef::openshift-rosa,openshift-dedicated[]
. Get a list of your nodes by running the following command:
+
[source,terminal]
----
$ oc get nodes
----
+
Example output
+
[source,terminal]
----
NAME STATUS ROLES AGE VERSION
<node_name> Ready control-plane,master 37m v1.27.8+4fab27b
----
. Run the following command to enter debug mode on the node:
+
[source,terminal]
----
$ oc debug node/<node_name>
----
+
Replace <node_name> with the name of the node you want details about.
. When prompted, enter `chroot /host` into the terminal:
+
[source,terminal]
----
sh-4.4# chroot /host
----
.Verification
. Verify that the registries are in the policy file by running the following command:
+
[source,terminal]
----
sh-5.1# cat etc/containers/registries.conf
----
+
The following example indicates that images from the `untrusted.com` registry are blocked for image pulls and pushes:
+
.Example output
[source,text]
----
unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
[[registry]]
prefix = ""
location = "untrusted.com"
blocked = true
----
endif::openshift-rosa,openshift-dedicated[]
View Git Blame Copy Permalink