From 9e2d282709630874f558a249e1d43f9d8a678183 Mon Sep 17 00:00:00 2001
From: Hans Feldt <2808287+hafe@users.noreply.github.com>
Date: Thu, 27 Aug 2020 18:09:53 +0200
Subject: [PATCH] cri-o: add variable to configure unsecure pull (#6568)
By default do not allow "unqualified" (without a registry) images
because it is considered unsecure and subject to mitm attacks.
To enable insecure pull configure for example:
crio_registries:
- "docker.io"
- "quay.io"
---
roles/container-engine/cri-o/defaults/main.yml | 5 +++++
roles/container-engine/cri-o/templates/crio.conf.j2 | 7 +++++--
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index 03325a527..84b7da88a 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -6,6 +6,11 @@ crio_enable_metrics: false
crio_log_level: "info"
crio_metrics_port: "9090"
crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
+
+# Trusted registries to pull unqualified images (e.g. alpine:latest) from
+# By default unqualified images are not allowed for security reasons
+crio_registries: []
+
crio_runc_path: "/usr/bin/runc"
crio_seccomp_profile: ""
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index c5e2cf89a..999cebb1d 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -350,8 +350,11 @@ image_volumes = "mkdir"
# compatibility reasons. Depending on your workload and usecase you may add more
# registries (e.g., "quay.io", "registry.fedoraproject.org",
# "registry.opensuse.org", etc.).
-#registries = [
-# ]
+registries = [
+ {% for registry in crio_registries %}
+ "{{ registry }}",
+ {% endfor %}
+]
# The crio.network table containers settings pertaining to the management of
--
GitLab