Supportability of ImageContentSourcePolicy in ROSA

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4

Issue

  • How to configure ImageContentSourcePolicy (ICSP) resources in ROSA clusters.
  • Is it possible to configure ImageDigestMirrorSet and ImageTagMirrorSet in OSD/ROSA clusters?

  • An error is shown when trying to configure an ImageContentSourcePolicy, ImageDigestMirrorSet or ImageTagMirrorSet, even if it is now supported in OSD/ROSA:

    admission webhook "imagecontentpolicies-validation.managed.openshift.io" denied the request: Managed OpenShift customers may not create ImageContentSourcePolicy, ImageDigestMirrorSet, or ImageTagMirrorSet resources that configure mirrors that would conflict with system registries (e.g. quay.io, registry.redhat.io, registry.access.redhat.com, etc).

Resolution

As of recent update, ROSA now supports customer configurability of the following objects by users with dedicated-admin role:

Notes:

  • The source field cannot be set to a value that would conflict with any of the default system registries (quay.io, registry.redhat.io, registry.access.redhat.com).
  • Modifying these objects can in some circumstances cause workloads to reschedule.
  • The object ImageContentSourcePolicy has been deprecated in favor of ImageDigestMirrorSet and ImageTagMirrorSet. However, all three are still functional for the time being.

For more information, please refer to the official documentation.

Root Cause

Previously, it was not supported in ROSA to edit the ImageContentSourcePolicy due to potential drastic influence based on misconfiguration against not only worker nodes, but Control Plane and infrastructure nodes also. This has been updated to allow for customer configurability with certain restrictions.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments