Merge pull request #71888 from mburke5678/node-containerRuntimeSearchRegistries-warning-note

mburke5678 · web-flow · commit 5d79e7684f6c · 2024-03-21T15:50:29.000-04:00
OCPBUGS28387: Warning about containerRuntimeSearchRegistries not clear about default behavior
diff --git a/modules/images-configuration-shortname.adoc b/modules/images-configuration-shortname.adoc
@@ -21,7 +21,7 @@ Using image short names with public registries is strongly discouraged because t
 
 Red Hat internal or private registries typically support the use of image short names.
 
-If you list public registries under the `containerRuntimeSearchRegistries` parameter, you expose your credentials to all the registries on the list and you risk network and registry attacks.
+If you list public registries under the `containerRuntimeSearchRegistries` parameter (including the `registry.redhat.io`, `docker.io`, and `quay.io` registries), you expose your credentials to all the registries on the list, and you risk network and registry attacks. Because you can only have one pull secret for pulling images, as defined by the global pull secret, that secret is used to authenticate against every registry in that list. Therefore, if you include public registries in the list, you introduce a security risk.
 
 You cannot list multiple public registries under the `containerRuntimeSearchRegistries` parameter if each public registry requires different credentials and a cluster does not list the public registry in the global pull secret.
 
