Browse Source
cri-o: add variable to configure unsecure pull (#6568 )
By default do not allow "unqualified" (without a registry) images
because it is considered unsecure and subject to mitm attacks.
To enable insecure pull configure for example:
crio_registries:
- "docker.io"
- "quay.io"
pull/6597/head
Hans Feldt
4 years ago
committed by
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with
10 additions and
2 deletions
roles/container-engine/cri-o/defaults/main.yml
roles/container-engine/cri-o/templates/crio.conf.j2
@ -6,6 +6,11 @@ crio_enable_metrics: false
crio_log_level : "info"
crio_metrics_port : "9090"
crio_pause_image : "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
# Trusted registries to pull unqualified images (e.g. alpine:latest) from
# By default unqualified images are not allowed for security reasons
crio_registries : [ ]
crio_runc_path : "/usr/bin/runc"
crio_seccomp_profile : ""
crio_selinux : "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
@ -350,8 +350,11 @@ image_volumes = "mkdir"
# compatibility reasons. Depending on your workload and usecase you may add more
# registries (e.g., "quay.io", "registry.fedoraproject.org",
# "registry.opensuse.org", etc.).
#registries = [
# ]
registries = [
{% for registry in crio_registries %}
"{{ registry }}",
{% endfor %}
]
# The crio.network table containers settings pertaining to the management of