blob: a0fd4870925154ecfb0c96f549b30109ebcfde0b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: images.config.openshift.io
spec:
group: config.openshift.io
scope: Cluster
preserveUnknownFields: false
names:
kind: Image
singular: image
plural: images
listKind: ImageList
versions:
- name: v1
served: true
storage: true
subresources:
status: {}
"validation":
"openAPIV3Schema":
description: Image governs policies related to imagestream imports and runtime
configuration for external registries. It allows cluster admins to configure
which registries OpenShift is allowed to import images from, extra CA trust
bundles for external registries, and policies to blacklist/whitelist registry
hostnames. When exposing OpenShift's image registry to the public, this also
lets cluster admins specify the external hostname.
type: object
required:
- spec
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: spec holds user settable values for configuration
type: object
properties:
additionalTrustedCA:
description: additionalTrustedCA is a reference to a ConfigMap containing
additional CAs that should be trusted during imagestream import, pod
image pull, build image pull, and imageregistry pullthrough. The namespace
for this config map is openshift-config.
type: object
required:
- name
properties:
name:
description: name is the metadata.name of the referenced config
map
type: string
allowedRegistriesForImport:
description: allowedRegistriesForImport limits the container image registries
that normal users may import images from. Set this list to the registries
that you trust to contain valid Docker images and that you want applications
to be able to import from. Users with permission to create Images
or ImageStreamMappings via the API are not affected by this policy
- typically only administrators or system integrations will have those
permissions.
type: array
items:
description: RegistryLocation contains a location of the registry
specified by the registry domain name. The domain name might include
wildcards, like '*' or '??'.
type: object
properties:
domainName:
description: domainName specifies a domain name for the registry
In case the registry use non-standard (80 or 443) port, the
port should be included in the domain name as well.
type: string
insecure:
description: insecure indicates whether the registry is secure
(https) or insecure (http) By default (if not specified) the
registry is assumed as secure.
type: boolean
externalRegistryHostnames:
description: externalRegistryHostnames provides the hostnames for the
default external image registry. The external hostname should be set
only when the image registry is exposed externally. The first value
is used in 'publicDockerImageRepository' field in ImageStreams. The
value must be in "hostname[:port]" format.
type: array
items:
type: string
registrySources:
description: registrySources contains configuration that determines
how the container runtime should treat individual registries when
accessing images for builds+pods. (e.g. whether or not to allow insecure
access). It does not contain configuration for the internal cluster
registry.
type: object
properties:
allowedRegistries:
description: "allowedRegistries are whitelisted for image pull/push.
All other registries are blocked. \n Only one of BlockedRegistries
or AllowedRegistries may be set."
type: array
items:
type: string
blockedRegistries:
description: "blockedRegistries are blacklisted from image pull/push.
All other registries are allowed. \n Only one of BlockedRegistries
or AllowedRegistries may be set."
type: array
items:
type: string
insecureRegistries:
description: insecureRegistries are registries which do not have
a valid TLS certificates or only support HTTP connections.
type: array
items:
type: string
status:
description: status holds observed values from the cluster. They may not
be overridden.
type: object
properties:
externalRegistryHostnames:
description: externalRegistryHostnames provides the hostnames for the
default external image registry. The external hostname should be set
only when the image registry is exposed externally. The first value
is used in 'publicDockerImageRepository' field in ImageStreams. The
value must be in "hostname[:port]" format.
type: array
items:
type: string
internalRegistryHostname:
description: internalRegistryHostname sets the hostname for the default
internal image registry. The value must be in "hostname[:port]" format.
This value is set by the image registry operator which controls the
internal registry hostname. For backward compatibility, users can
still use OPENSHIFT_DEFAULT_REGISTRY environment variable but this
setting overrides the environment variable.
type: string
|
