diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index 03325a5274842de1af7b4f3f1b9ab3824c16f4a0..84b7da88aaf8d87094996894e219f07e643706c8 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -6,6 +6,11 @@ crio_enable_metrics: false
 crio_log_level: "info"
 crio_metrics_port: "9090"
 crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
+
+# Trusted registries to pull unqualified images (e.g. alpine:latest) from
+# By default unqualified images are not allowed for security reasons
+crio_registries: []
+
 crio_runc_path: "/usr/bin/runc"
 crio_seccomp_profile: ""
 crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index c5e2cf89a764bdea63bb531c3bc9cdcaec653bd0..999cebb1d5e65e4f94d8d8ce4ac320fe48d00b1f 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -350,8 +350,11 @@ image_volumes = "mkdir"
 # compatibility reasons. Depending on your workload and usecase you may add more
 # registries (e.g., "quay.io", "registry.fedoraproject.org",
 # "registry.opensuse.org", etc.).
-#registries = [
-# ]
+registries = [
+  {% for registry in crio_registries %}
+  "{{ registry }}",
+  {% endfor %}
+]
 
 
 # The crio.network table containers settings pertaining to the management of