For any deployment on OpenShift / OKD cluster 4.x, a source for container images is a requirement for it to be successful. OpenShift allows you to use your private registries as source of images. Public registries such as Docker Hub, Quay, gcr, e.t.c and the integrated OpenShift registry always work well. But the problem arise when you want to use private registries without valid SSL certificate or using HTTP.

There are two ways you can use private insecure registries on OpenShift / OKD cluster.

  1. If using self-signed SSL certificate – Import the certificate OpenShift CA trust.
  2. Add the registry to insecure registries list – The Machine Config Operator (MCO) will push updates to all nodes in the cluster and reboot them.

Private image registries for OpenShift / Kubernetes:

Install Harbor Image Registry on Kubernetes / OpenShift with Helm Chart

Install Harbor Container Image Registry on CentOS / Debian / Ubuntu

Install Project Quay Registry on OpenShift With Operator

How To Setup Red Hat Quay Registry on CentOS / RHEL / Ubuntu

Add additional trust stores for image registry access

Let’s assume your registry URL is ocr.example.com, on the default HTTPS port (443), and certificate file is ocr.example.com.crt.

This is how you will configure additional CAs that should be trusted during image imports, pod image pull, and builds. Note that the CAs must be PEM-encoded format.

--- syntax ---
$ oc create configmap registry-config 
  --from-file==ca.crt 
  -n openshift-config

--- Example ---
$ oc create configmap registry-config 
  --from-file=ocr.example.com=ocr.example.com.crt 
  -n openshift-config

Then edit the image registry cluster config and specify additionalTrustedCA.

$ oc edit image.config.openshift.io cluster
spec:
  additionalTrustedCA:
    name: registry-config

Whitelisting insecure image registries 

You can as well add an insecure registry by editing the image.config.openshift.io/cluster custom resource (CR). This is common for registries which only support HTTP connections or have invalid certificates.

Edit the image.config.openshift.io/cluster custom resource:

$ oc edit image.config.openshift.io/cluster

Specify the registries to be permitted for image pull and push actions under the allowedRegistries section.

....
spec:
  additionalTrustedCA:
    name: registry-config
  registrySources:
    insecureRegistries:
    - ocr.example.com

You can add more lines for insecure registries if you have multiple. To block a registry, add like below.

....
spec:
  additionalTrustedCA:
    name: registry-config
  registrySources:
    insecureRegistries:
    - ocr.example.com
    blockedRegistries:
    - untrusted.com

The Machine Config Operator (MCO) watches the image.config.openshift.io/cluster for any changes to registries and reboots the nodes when it detects changes.

The new registry configurations are written to /etc/containers/registries.conf file on each node.

More guides:

How To Check Pod / Container Metrics on OpenShift & Kubernetes

Install Production Kubernetes Cluster with Rancher RKE

Install Minikube Kubernetes on CentOS 8 / CentOS 7 with KVM

How To Create Admin User to Access Kubernetes Dashboard

, , , , , ,
Show Comments