From a4b90a1cdc770301b857cb547a31c9e800621da3 Mon Sep 17 00:00:00 2001 From: Hans Feldt <2808287+hafe@users.noreply.github.com> Date: Thu, 20 Aug 2020 20:14:10 +0200 Subject: [PATCH] cri-o: add variable to configure unsecure pull By default do not allow "unqualified" (without a registry) images because it is considered unsecure and subject to mitm attacks. To enable insecure pull configure for example: crio_registries: - "docker.io" - "quay.io" --- roles/container-engine/cri-o/defaults/main.yml | 5 +++++ roles/container-engine/cri-o/templates/crio.conf.j2 | 7 +++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml index 03325a52748..84b7da88aaf 100644 --- a/roles/container-engine/cri-o/defaults/main.yml +++ b/roles/container-engine/cri-o/defaults/main.yml @@ -6,6 +6,11 @@ crio_enable_metrics: false crio_log_level: "info" crio_metrics_port: "9090" crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}" + +# Trusted registries to pull unqualified images (e.g. alpine:latest) from +# By default unqualified images are not allowed for security reasons +crio_registries: [] + crio_runc_path: "/usr/bin/runc" crio_seccomp_profile: "" crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}" diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2 index c5e2cf89a76..999cebb1d5e 100644 --- a/roles/container-engine/cri-o/templates/crio.conf.j2 +++ b/roles/container-engine/cri-o/templates/crio.conf.j2 @@ -350,8 +350,11 @@ image_volumes = "mkdir" # compatibility reasons. Depending on your workload and usecase you may add more # registries (e.g., "quay.io", "registry.fedoraproject.org", # "registry.opensuse.org", etc.). -#registries = [ -# ] +registries = [ + {% for registry in crio_registries %} + "{{ registry }}", + {% endfor %} +] # The crio.network table containers settings pertaining to the management of