registry-config-allowed-registries
×
使用 HCP 的 ROSA 的镜像配置资源
请使用以下步骤配置镜像注册表。
使用 HCP 的 ROSA 的镜像控制器配置参数
image.config.openshift.io/cluster 资源保存有关如何处理镜像的集群范围信息。该资源存在,但它是只读的,只能通过受支持的工具(如 ROSA CLI (rosa))进行更改。规范且唯一有效的名称是 cluster。它可以通过 ROSA CLI (rosa) 命令在 AWS 托管控制平面上的 Red Hat OpenShift Service 中进行配置。
|
参数例如 |
| ROSA CLI 参数 | 描述 |
|---|---|
允许镜像拉取和推送操作的注册表。要指定所有子域名,请在域名名前添加星号 ( |
|
|
没有有效 TLS 证书或仅支持 HTTP 连接的注册表。要指定所有子域名,请在域名名前添加星号 ( |
|
拒绝镜像拉取和推送操作的注册表。要指定所有子域名,请在域名名前添加星号 ( |
|
包含确定容器运行时在访问构建和 Pod 的镜像时应如何处理各个注册表的配置。例如,是否允许不安全访问。它不包含内部集群注册表的配置。限制普通用户可以从中导入镜像的容器镜像注册表。格式应为 |
|
包含注册表主机名作为键,以及每个需要信任的附加注册表 CA 的 PEM 编码证书作为值的 JSON 文件。 |
|
定义 |
为使用 HCP 的 ROSA 配置镜像注册表设置
您可以在集群创建时配置镜像注册表设置。集群的节点将在创建后使用所需的配置。
步骤
-
通过运行以下命令创建具有镜像注册表的 ROSA with HCP 集群
$ rosa create cluster —cluster-name=<cluster_name> --sts --mode=auto \ --hosted-cp --operator-roles-prefix <operator_role_prefix> \ --oidc-config-id <id_of_oidc_configuration> \ --subnet-ids=<public_subnet_id>,<private_subnet_id> \ --registry-config-insecure-registries <insecure_registries> \ --registry-config-allowed-registries <allowed_registries> \ --registry-config-allowed-registries-for-import <registry_name:insecure> \ --registry-config-additional-trusted-ca <additional_trusted_ca_file>使用
allowedRegistries、blockedRegistries或insecureRegistries参数时,您可以指定注册表中的单个仓库。例如:reg1.io/myrepo/myapp:latest。避免使用不安全的外部注册表以减少可能的安全风险。参数
allowedRegistries、blockedRegistries是互斥的。
验证
-
运行
rosa describe命令以验证您的镜像注册表是否已启用,请运行以下命令$ rosa describe cluster --cluster=<cluster_name>示例输出Name: rosa-hcp-test Domain Prefix: rosa-hcp-test Display Name: rosa-hcp-test ID: <cluster_hcp_id> External ID: <cluster_hcp_id> Control Plane: ROSA Service Hosted OpenShift Version: 4.Y.Z Channel Group: stable DNS: <dns> AWS Account: <aws_id> AWS Billing Account: <aws_id> API URL: <ocm_api> Console URL: Region: us-east-1 Availability: - Control Plane: MultiAZ - Data Plane: SingleAZ Nodes: - Compute (desired): 2 - Compute (current): 2 Network: - Type: OVNKubernetes - Service CIDR: <service_cidr> - Machine CIDR: <machine_cidr> - Pod CIDR: <pod_cidr> - Host Prefix: /23 - Subnets: <subnet_ids> EC2 Metadata Http Tokens: optional Role (STS) ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role Support Role ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role Instance IAM Roles: - Worker: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role Operator IAM Roles: - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-kms-provider - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credent - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-cloud Managed Policies: Yes State: ready Private: No Delete Protection: Disabled Created: Oct 01 2030 09:48:52 UTC User Workload Monitoring: Enabled OIDC Endpoint URL: https://<endpoint> (Managed) Audit Log Forwarding: Disabled External Authentication: Disabled Etcd Encryption: Disabled Registry Configuration: - Allowed Registries: <allowed_registry> (1) (2) - Insecure Registries: <insecure_registry> (3) - Allowed Registries for Import: (4) - Domain Name: <domain_name> (5) - Insecure: true (6) - Platform Allowlist: <platform_allowlist_id> (7) - Registries: <list_of_registries> (8) - Additional Trusted CA: (9) - <registry_name> : REDACTED1 允许的注册表:允许镜像拉取和推送操作的注册表的逗号分隔列表。2 被阻止的注册表:阻止镜像拉取和推送操作的注册表的逗号分隔列表。参数allowedRegistries、blockedRegistries是互斥的。3 不安全的注册表:没有有效 TLS 证书或仅支持 HTTP 连接的注册表的逗号分隔列表。4 允许导入的注册表:限制普通用户可以从中导入镜像的容器镜像注册表。格式应为domainName:insecure的逗号分隔列表。5 domainName:指定注册表的域名。6 insecure:指示注册表是否安全。7 平台允许列表:对需要为平台正常工作而列入白名单的注册表列表的 ID 的引用。8 注册表:需要为平台正常工作而列入白名单的注册表列表。9 附加可信 CA:包含注册表主机名作为键,以及每个需要信任的附加注册表 CA 的 PEM 编码证书作为值的 JSON 文件。 -
通过运行以下命令列出您的节点以检查应用的更改
$ oc get nodes示例输出NAME STATUS ROLES AGE VERSION ip-10-0-137-182.us-east-2.compute.internal Ready,SchedulingDisabled worker 65m v1.30.3 ip-10-0-188-96.us-east-2.compute.internal Ready worker 65m v1.30.3 ip-10-0-200-59.us-east-2.compute.internal Ready worker 63m v1.30.3
编辑使用 HCP 的 ROSA 的镜像注册表设置
您可以使用 rosa edit 命令更改镜像注册表配置。
|
定义 |
|
您可以更改任何与注册表相关的参数,这将触发所有机器池的滚动更新;所有机器池节点都将被重新创建,然后从每个节点中移除 Pod。 |
步骤
-
通过运行以下命令更新或编辑集群的镜像注册表
$ rosa edit cluster --registry-config-insecure-registries <insecure_registries> \ --registry-config-allowed-registries <allowed_registries> \ --registry-config-allowed-registries-for-import <registry_name:insecure> \ --registry-config-additional-trusted-ca <additional_trusted_ca_file>示例输出? Changing any registry related parameter will trigger a rollout across all machinepools (all machinepool nodes will be recreated, following pod draining from each node). Do you want to proceed? Yes I: Updated cluster '<cluster_name>'
验证
-
再次运行
rosa describe命令,查看您对镜像注册表所做的更改是否已更新,请运行以下命令$ rosa describe cluster --cluster=<cluster_name>示例输出Name: rosa-hcp-test Domain Prefix: rosa-hcp-test Display Name: rosa-hcp-test ID: <cluster_hcp_id> External ID: <cluster_hcp_id> Control Plane: ROSA Service Hosted OpenShift Version: 4.Y.Z Channel Group: stable DNS: <dns> AWS Account: <aws_id> AWS Billing Account: <aws_id> API URL: <ocm_api> Console URL: Region: us-east-1 Availability: - Control Plane: MultiAZ - Data Plane: SingleAZ Nodes: - Compute (desired): 2 - Compute (current): 2 Network: - Type: OVNKubernetes - Service CIDR: <service_cidr> - Machine CIDR: <machine_cidr> - Pod CIDR: <pod_cidr> - Host Prefix: /23 - Subnets: <subnet_ids> EC2 Metadata Http Tokens: optional Role (STS) ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role Support Role ARN: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role Instance IAM Roles: - Worker: arn:aws:iam::<aws_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role Operator IAM Roles: - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-kube-system-kms-provider - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credent - arn:aws:iam::<aws_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-cloud Managed Policies: Yes State: ready Private: No Delete Protection: Disabled Created: Oct 01 2030 09:48:52 UTC User Workload Monitoring: Enabled OIDC Endpoint URL: https://<endpoint> (Managed) Audit Log Forwarding: Disabled External Authentication: Disabled Etcd Encryption: Disabled Registry Configuration: - Allowed Registries: <allowed_registry> (1) (2) - Insecure Registries: <insecure_registry> (3) - Allowed Registries for Import: (4) - Domain Name: <domain_name> (5) - Insecure: true (6) - Platform Allowlist: <platform_allowlist_id> (7) - Registries: <list_of_registries> (8) - Additional Trusted CA: (9) - <registry_name> : REDACTED1 允许的注册表:允许镜像拉取和推送操作的注册表的逗号分隔列表。2 被阻止的注册表:阻止镜像拉取和推送操作的注册表的逗号分隔列表。参数allowedRegistries、blockedRegistries是互斥的。3 不安全的注册表:没有有效 TLS 证书或仅支持 HTTP 连接的注册表的逗号分隔列表。4 允许导入的注册表:限制普通用户可以从中导入镜像的容器镜像注册表。格式应为domainName:insecure的逗号分隔列表。5 domainName:指定注册表的域名。6 insecure:指示注册表是否安全。7 平台允许列表:对需要为平台正常工作而列入白名单的注册表列表的 ID 的引用。8 注册表:需要为平台正常工作而列入白名单的注册表列表。9 附加可信 CA:包含注册表主机名作为键,以及每个需要信任的附加注册表 CA 的 PEM 编码证书作为值的 JSON 文件。