Importing insecure registries on Openshift Container Platform

Sometimes we can pull an image through proxy server and facing some ssl issues on that. To overcome this problem, we can define an insecure registry in the image config on the openshift cluster.

It can be thought of as the openshift equivalent of the command

podman pull --tls-verify=false .

To do this;

$ oc edit image.config cluster

And edit the yaml file.

apiVersion: config.openshift.io/v1
kind: Image
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2019-05-17T13:44:26Z"
  generation: 1
  name: cluster
  resourceVersion: "8302"
  selfLink: /apis/config.openshift.io/v1/images/cluster
  uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
spec:
  allowedRegistriesForImport:
    - domainName: quay.io
      insecure: false
  additionalTrustedCA:
    name: myconfigmap
  registrySources:
    insecureRegistries:
    - docker.io
    - quay.io
    blockedRegistries:
    - untrusted.com
    allowedRegistries:
    - quay.io
status:
  internalRegistryHostname: image-registry.openshift-image-registry.svc:5000

You can set blocked or allowed registries but no both.

If you set allowed all of others are blocked or you set blocked all of others are allowed.

You can check registries set on the nodes via looking registries.conf file after the node rebooted.

cat /host/etc/containers/registries.conf
[registries]
  [registries.search]
    registries = ["registry.access.redhat.com", "docker.io"]
  [registries.insecure]
    registries = ["docker.io", "quay.io"]
  [registries.block]
    registries = ["untrusted.com"]