cri-o: add variable to configure unsecure pull (#6568)
By default do not allow "unqualified" (without a registry) images because it is considered unsecure and subject to mitm attacks. To enable insecure pull configure for example: crio_registries: - "docker.io" - "quay.io"pull/6597/head
parent
706c7cb4f1
commit
9e2d282709
|
@ -6,6 +6,11 @@ crio_enable_metrics: false
|
|||
crio_log_level: "info"
|
||||
crio_metrics_port: "9090"
|
||||
crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
|
||||
|
||||
# Trusted registries to pull unqualified images (e.g. alpine:latest) from
|
||||
# By default unqualified images are not allowed for security reasons
|
||||
crio_registries: []
|
||||
|
||||
crio_runc_path: "/usr/bin/runc"
|
||||
crio_seccomp_profile: ""
|
||||
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
|
||||
|
|
|
@ -350,8 +350,11 @@ image_volumes = "mkdir"
|
|||
# compatibility reasons. Depending on your workload and usecase you may add more
|
||||
# registries (e.g., "quay.io", "registry.fedoraproject.org",
|
||||
# "registry.opensuse.org", etc.).
|
||||
#registries = [
|
||||
# ]
|
||||
registries = [
|
||||
{% for registry in crio_registries %}
|
||||
"{{ registry }}",
|
||||
{% endfor %}
|
||||
]
|
||||
|
||||
|
||||
# The crio.network table containers settings pertaining to the management of
|
||||
|
|
Loading…
Reference in New Issue