Skip to content

Commit 4666895

Browse files
dfitzmaudfitzmau
committed
BZ1998132: Clarified image short name note in Image configuration resources doc
1 parent a9fd3ec commit 4666895

File tree

1 file changed

+11
-2
lines changed

1 file changed

+11
-2
lines changed

modules/images-configuration-shortname.adoc

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,9 +17,18 @@ When pulling or pushing images, the container runtime searches the registries li
1717

1818
[WARNING]
1919
====
20-
Using image short names with public registries is strongly discouraged. You should use image short names with only internal or private registries.
20+
Using image short names with public registries is strongly discouraged because the image might not deploy if the public registry requires authentication. Use fully-qualified image names with public registries.
2121
22-
If you list public registries under the `containerRuntimeSearchRegistries` parameter, you expose your credentials to all the registries on the list and you risk network and registry attacks. You should always use fully-qualified image names with public registries.
22+
Red Hat internal or private registries typically support the use of image short names.
23+
24+
If you list public registries under the `containerRuntimeSearchRegistries` parameter, you expose your credentials to all the registries on the list and you risk network and registry attacks.
25+
26+
You cannot list multiple public registries under the `containerRuntimeSearchRegistries` parameter if each public registry requires different credentials and a cluster does not list the public registry in the global pull secret.
27+
28+
For a public registry that requires authentication, you can use an image short name only if the registry has its credentials stored in the global pull secret.
29+
////
30+
Potentially add the last line to the Ignoring image registry repository mirroring section.
31+
////
2332
====
2433

2534
The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` resource for any changes to the registries. When the MCO detects a change, it drains the nodes, applies the change, and uncordons the nodes. After the nodes return to the `Ready` state, if the `containerRuntimeSearchRegistries` parameter is added, the MCO creates a file in the `/etc/containers/registries.conf.d` directory on each node with the listed registries. The file overrides the default list of unqualified search registries in the `/host/etc/containers/registries.conf` file. There is no way to fall back to the default list of unqualified search registries.

0 commit comments

Comments
 (0)