openshift · mburke5678 · Dec 23, 2020 · Dec 21, 2020
diff --git a/modules/images-configuration-allowed.adoc b/modules/images-configuration-allowed.adoc
@@ -0,0 +1,130 @@
+// Module included in the following assemblies:
+//
+// * openshift_images/image-configuration.adoc
+// * post_installation_configuration/preparing-for-users.adoc
+
+[id="images-configuration-allowed_{context}"]
+= Adding specific registries
+
+You can add a list of registries that are permitted for image pull and push actions by by editing the `image.config.openshift.io/cluster` custom resource (CR). {product-title} applies the changes to this CR to all nodes in the cluster. 
+
+When pulling or pushing images, the container runtime searches the registries listed under the `registrySources` parameter in the `image.config.openshift.io/cluster` CR. If you created a list of registries under the `allowedRegistries` parameter, the container runtime searches only those registries. Registries not in the list are blocked.
+
+[WARNING]
+====
+When the `allowedRegistries` parameter is defined, all registries including the registry.redhat.io and quay.io registries are blocked unless explicitly listed. If you use the parameter, to prevent pod failure, add `registry.redhat.io` and `quay.io` to the `allowedRegistries` list, as they are required by payload images within your environment. For disconnected clusters, mirror registries should also be added.
+====
+
+.Procedure
+
+. Edit the `image.config.openshift.io/cluster` CR:
++
+[source,terminal]
+----
+$ oc edit image.config.openshift.io/cluster
+----
++
+The following is an example `image.config.openshift.io/cluster` CR with an allowed list:
++
+[source,yaml]
+----
+apiVersion: config.openshift.io/v1
+kind: Image
+metadata:
+  annotations:
+    release.openshift.io/create-only: "true"
+  creationTimestamp: "2019-05-17T13:44:26Z"
+  generation: 1
+  name: cluster
+  resourceVersion: "8302"
+  selfLink: /apis/config.openshift.io/v1/images/cluster
+  uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
+spec:
+  registrySources: <1>
+    allowedRegistries: <2>
+    - example.com
+    - quay.io
+    - registry.redhat.io
+status:
+  internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
+----
+<1> `registrySources`: Contains configurations that determine how the container runtime should treat individual registries when accessing images for builds and pods. It does not contain configuration for the internal cluster registry.
+<2> `allowedRegistries`: Registries to use for image pull and push actions. All other registries are blocked.
++
+[NOTE]
+====
+Either the `allowedRegistries` parameter or the `blockedRegistries` parameter can be set, but not both.
+====
++
+The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` CR for any changes to registries and reboots the nodes when it detects changes. Changes to the allowed registries creates or updates the image signature policy in the `/host/etc/containers/policy.json` file on each node.
+
+. To check that the registries have been added to the policy file, use the following command on a node:
++
+[source,terminal]
+----
+$ cat /host/etc/containers/policy.json
+----
++
+The following policy indicates that only images from the example.com, quay.io, and registry.redhat.io registries are permitted for image pulls and pushes:
++
+.Example image signature policy file
+[%collapsible]
+====
+[source,terminal]
+----
+{
+	"default": [{
+		"type": "reject"
+	}],
+	"transports": {
+		"atomic": {
+			"example.com": [{
+				"type": "insecureAcceptAnything"
+			}],
+			"quay.io": [{
+				"type": "insecureAcceptAnything"
+			}],
+			"registry.redhat.io": [{
+				"type": "insecureAcceptAnything"
+			}]
+		},
+		"docker": {
+			"example.com": [{
+				"type": "insecureAcceptAnything"
+			}],
+			"quay.io": [{
+				"type": "insecureAcceptAnything"
+			}],
+			"registry.redhat.io": [{
+				"type": "insecureAcceptAnything"
+			}]
+		},
+		"docker-daemon": {
+			"": [{
+				"type": "insecureAcceptAnything"
+			}]
+		}
+	}
+}
+----
+====
+
+[NOTE]
+====
+If your cluster uses the `registrySources.insecureRegistries` parameter, ensure that any insecure registries are included in the allowed list.
+
+For example:
+
+[source,yml]
+----
+spec:
+  registrySources:
+    insecureRegistries:
+    - insecure.com
+    allowedRegistries:
+    - example.com
+    - quay.io
+    - registry.redhat.io
+    - insecure.com
+----
+====
diff --git a/modules/images-configuration-blocked.adoc b/modules/images-configuration-blocked.adoc
@@ -0,0 +1,72 @@
+// Module included in the following assemblies:
+//
+// * openshift_images/image-configuration.adoc
+// * post_installation_configuration/preparing-for-users.adoc
+
+[id="images-configuration-blocked_{context}"]
+= Blocking specific registries
+
+You can block any registry by editing the `image.config.openshift.io/cluster` custom resource (CR). {product-title} applies the changes to this CR to all nodes in the cluster.
+
+When pulling or pushing images, the container runtime searches the registries listed under the `registrySources` parameter in the `image.config.openshift.io/cluster` CR. If you created a list of registries under the `blockedRegistries` parameter, the container runtime does not search those registries. All other registries are allowed.
+
+.Procedure
+
+. Edit the `image.config.openshift.io/cluster` CR:
++
+[source,terminal]
+----
+$ oc edit image.config.openshift.io/cluster
+----
++
+The following is an example `image.config.openshift.io/cluster` CR with a blocked list:
++
+[source,yaml]
+----
+apiVersion: config.openshift.io/v1
+kind: Image
+metadata:
+  annotations:
+    release.openshift.io/create-only: "true"
+  creationTimestamp: "2019-05-17T13:44:26Z"
+  generation: 1
+  name: cluster
+  resourceVersion: "8302"
+  selfLink: /apis/config.openshift.io/v1/images/cluster
+  uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
+spec:
+  registrySources: <1>
+    blockedRegistries: <2>
+    - untrusted.com
+status:
+  internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
+----
+<1> `registrySources`: Contains configurations that determine how the container runtime should treat individual registries when accessing images for builds and pods. It does not contain configuration for the internal cluster registry.
+<2> Specify registries that should not be used for image pull and push actions. All other registries are allowed.
++
+[NOTE]
+====
+Either the `blockedRegistries` registry or the `allowedRegistries` registry can be set, but not both.
+====
++
+The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` CR for any changes to registries and reboots the nodes when it detects changes. Changes to the blocked registries appear in the `/etc/containers/registries.conf` file on each node.
+
+. To check that the registries have been added to the policy file, use the following command on a node:
++
+[source,terminal]
+----
+$ cat /host/etc/containers/registries.conf
+----
++
+The following example indicates that images from the `untrusted.com` registry are prevented for image pulls and pushes:
++
+.Example output
+[source,terminal]
+----
+unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
+
+[[registry]]
+  prefix = ""
+  location = "untrusted.com"
+  blocked = true
+----
diff --git a/modules/images-configuration-cas.adoc b/modules/images-configuration-cas.adoc
@@ -7,7 +7,7 @@
 [id="images-configuration-cas_{context}"]
 = Configuring additional trust stores for image registry access
 
-The `image.config.openshift.io/cluster` resource can contain a reference
+The `image.config.openshift.io/cluster` custom resource can contain a reference
 to a ConfigMap that contains additional certificate authorities to be trusted
 during image registry access.
 
@@ -17,7 +17,7 @@ during image registry access.
 .Procedure
 
 You can create a ConfigMap in the `openshift-config` namespace and use its name
-in `AdditionalTrustedCA` in the `image.config.openshift.io` resource to provide
+in `AdditionalTrustedCA` in the `image.config.openshift.io` custom resource to provide
 additional CAs that should be trusted when contacting external registries.
 
 The ConfigMap key is the host name of a registry with the port for which this CA is to be

diff --git a/modules/images-configuration-file.adoc b/modules/images-configuration-file.adoc
@@ -7,11 +7,10 @@
 = Configuring image settings
 
 You can configure image registry settings by editing the
-`image.config.openshift.io/cluster` resource. The
+`image.config.openshift.io/cluster`  custom resource (CR). The
 Machine Config Operator (MCO) watches the
-`image.config.openshift.io/cluster` resource for any changes to the registries.
-When the MCO detects a change, it drains the nodes, applies the change, 
-and uncordons the nodes.
+`image.config.openshift.io/cluster` CR for any changes 
+to the registries and reboots the nodes when it detects changes.
 
 .Procedure
 
@@ -22,12 +21,12 @@ and uncordons the nodes.
 $ oc edit image.config.openshift.io/cluster
 ----
 +
-The following is an example `image.config.openshift.io/cluster` resource:
+The following is an example `image.config.openshift.io/cluster` CR:
 +
 [source,yaml]
 ----
 apiVersion: config.openshift.io/v1
-kind: Image<1>
+kind: Image <1>
 metadata:
   annotations:
     release.openshift.io/create-only: "true"
@@ -38,16 +37,18 @@ metadata:
   selfLink: /apis/config.openshift.io/v1/images/cluster
   uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
 spec:
-  allowedRegistriesForImport:<2>
+  allowedRegistriesForImport: <2>
     - domainName: quay.io
       insecure: false
-  additionalTrustedCA:<3>
+  additionalTrustedCA: <3>
     name: myconfigmap
   registrySources:<4>
-    insecureRegistries:<5>
+    allowedRegistries:
+    - example.com
+    - quay.io
+    - registry.redhat.io
+    insecureRegistries:
     - insecure.com
-    blockedRegistries:<6>
-    - untrusted.com
 status:
   internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
 ----
@@ -68,8 +69,25 @@ trust.
 <4> `registrySources`: Contains configuration that determines how the container
 runtime should treat individual registries when accessing images for builds and
 pods. For instance, whether or not to allow insecure access. It does not contain
-configuration for the internal cluster registry.
-<5> `insecureRegistries`: Registries which do not have a valid TLS certificate or
-only support HTTP connections.
-<6> `blockedRegistries`: Denylisted for image pull and push actions. All other
-registries are allowed.
+configuration for the internal cluster registry. This example lists `allowedRegistries`, 
+which defines the registries that are allowed to be used. One of the registries listed
+is insecure. 
+
+. To check that the changes are applied, list your nodes:
++
+[source,terminal]
+----
+$ oc get nodes
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                       STATUS                     ROLES    AGE   VERSION
+ci-ln-j5cd0qt-f76d1-vfj5x-master-0         Ready                         master   98m   v1.19.0+7070803
+ci-ln-j5cd0qt-f76d1-vfj5x-master-1         Ready,SchedulingDisabled      master   99m   v1.19.0+7070803
+ci-ln-j5cd0qt-f76d1-vfj5x-master-2         Ready                         master   98m   v1.19.0+7070803
+ci-ln-j5cd0qt-f76d1-vfj5x-worker-b-nsnd4   Ready                         worker   90m   v1.19.0+7070803
+ci-ln-j5cd0qt-f76d1-vfj5x-worker-c-5z2gz   NotReady,SchedulingDisabled   worker   90m   v1.19.0+7070803
+ci-ln-j5cd0qt-f76d1-vfj5x-worker-d-stsjv   Ready                         worker   90m   v1.19.0+7070803
+----