OpenShift 4 之配置Insecure Registry和Blocked Registry镜像源

OpenShift 4安装后缺省是将registry.access.redhat.com和docker.io作为容器镜像源。我们可以通过修改配置为OpenShift 4添加其他镜像源，例如Insecure Registry和Blocked Registry镜像源。

首先查看缺省的Image Registry配置，其中包括Registry的internal和external的访问地址。

$ oc get images.config.openshift.io -n openshift-config
NAME      AGE
cluster   22d

$ oc get images.config.openshift.io cluster -o yaml -n openshift-config
apiVersion: config.openshift.io/v1
kind: Image
metadata:
  annotations:
    release.openshift.io/create-only: "true"
  creationTimestamp: "2019-11-22T15:53:20Z"
  generation: 1
  name: cluster
  resourceVersion: "20150"
  selfLink: /apis/config.openshift.io/v1/images/cluster
  uid: 35059e15-0d40-11ea-912d-525400ae0293
spec: {}
status:
  externalRegistryHostnames:
  - default-route-openshift-image-registry.apps-crc.testing
  internalRegistryHostname: image-registry.openshift-image-registry.svc:5000

执行以下命令可以修改images.config.openshift.io配置：

$ oc edit images.config.openshift.io cluster

我们可以在上面的spec: {}中添加定制的blockedRegistries和insecureRegistries配置。

spec:
  registrySources:
    blockedRegistries:
    - docker.io
    insecureRegistries:
    - bastion.mycloud.com:5000
    - 198.18.100.1:5000

在修改完后OpenShift会自动更新所有masters和nodes节点上的配置文件/etc/containers/registries.conf。使用《OpenShift 4 之进入到集群节点内执行sosreport收集故障信息》登录到节点查看Registry的配置文件。

[core@worker-0 ~]$ sudo cat /etc/containers/registries.conf
[registries]
  [registries.search]
    registries = ["registry.access.redhat.com", "docker.io"]
  [registries.insecure]
    registries = ["bastion.mycloud.com:5000", "198.18.100.1:5000"]
  [registries.block]
    registries = ["docker.io"]

最后我们可以验证一下，执行以下命令使用docker.io的镜像，然后可以从日志中查看到错误消息：

$ oc new-app --name sleep https://github.com/liuxiaoyu-git/openshift-dockerfile-example.git
$ oc logs bc/sleep
。。。。。
Pulling image bash@sha256:d6696f7ac04ec9753f56c6bb2ab69b4f03a39a14a3dd72341bb41b9f6855def9 ...
Warning: Pull failed, retrying in 5s ...
Warning: Pull failed, retrying in 5s ...
Warning: Pull failed, retrying in 5s ...
error: build error: failed to pull image: After retrying 2 times, Pull image still failed due to error: while pulling "docker://bash@sha256:d6696f7ac04ec9753f56c6bb2ab69b4f03a39a14a3dd72341bb41b9f6855def9" as "bash@sha256:d6696f7ac04ec9753f56c6bb2ab69b4f03a39a14a3dd72341bb41b9f6855def9": pullaccess to registry for "docker://bash@sha256:d6696f7ac04ec9753f56c6bb2ab69b4f03a39a14a3dd72341bb41b9f6855def9" is blocked by configuration