How to allow/restrict access to a certain repository in a container registry in RHOCP 4?
Environment
- Red Hat OpenShift Container Platform (RHOCP) 4
Issue
- Is there a possibility to allow pulling only single repositories of a container registry?
- How to allow/restrict access to only certain organisations in
quay.io? - How to allow access to only single repositories from
quay.io, instead of whitelistingquay.iocompletely for security purpose?
Resolution
-
It is possible to add and block an individual repository within a registry, that are permitted for image pull and push actions by editing the 'image.config.openshift.io/cluster' custom resource (CR). OpenShift Container Platform applies the changes to this CR to all nodes in the cluster.
$ oc get image.config.openshift.io/cluster -o yaml apiVersion: config.openshift.io/v1 kind: Image metadata: name: cluster [..] spec: registrySources: allowedRegistries: - quay.io/openshift-release-dev - reg1.io/myrepo/myapp:latest -
Specify registries, and optionally a repository in that registry, to use for image pull and push actions. All other registries are blocked.
- Kindly refer documentation for whitelisting specific individual repositories within the registry.
Root Cause
The allowedRegistries configuration allows to specify organisations/repositories that are allowed. If only registry.redhat.io, quay.io, default OpenShift image registry or any registries are specified, any image can be pulled from that container registry.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments