diff options
author | Clayton Coleman <ccoleman@redhat.com> | 2017-05-15 21:46:04 -0400 |
---|---|---|
committer | Clayton Coleman <ccoleman@redhat.com> | 2017-05-15 22:38:42 -0400 |
commit | dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a (patch) | |
tree | 0a194dc69b212d44076c9445186677771483acbc /roles/openshift_master_facts | |
parent | 15fd42020a0b5fee665c45cd23b9ba3bd152251d (diff) | |
download | openshift-dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a.tar.gz openshift-dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a.tar.bz2 openshift-dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a.tar.xz openshift-dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a.zip |
Default image policy on new clusters to on
Will allow for default image resolution to be used.
Diffstat (limited to 'roles/openshift_master_facts')
-rw-r--r-- | roles/openshift_master_facts/defaults/main.yml | 22 | ||||
-rw-r--r-- | roles/openshift_master_facts/tasks/main.yml | 2 |
2 files changed, 23 insertions, 1 deletions
diff --git a/roles/openshift_master_facts/defaults/main.yml b/roles/openshift_master_facts/defaults/main.yml index f1cbbeb2d..a80313505 100644 --- a/roles/openshift_master_facts/defaults/main.yml +++ b/roles/openshift_master_facts/defaults/main.yml @@ -1,2 +1,24 @@ --- openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}" +openshift_master_admission_plugin_config: + openshift.io/ImagePolicy: + configuration: + kind: ImagePolicyConfig + apiVersion: v1 + # To require that all images running on the platform be imported first, you may uncomment the + # following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it + # unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that + # digest has been imported via the import-image flow. + #resolveImages: Required + executionRules: + - name: execution-denied + # Reject all images that have the annotation images.openshift.io/deny-execution set to true. + # This annotation may be set by infrastructure that wishes to flag particular images as dangerous + onResources: + - resource: pods + - resource: builds + reject: true + matchImageAnnotations: + - key: images.openshift.io/deny-execution + value: "true" + skipOnResolutionFailure: true diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index f048e0aef..79f054b42 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -92,7 +92,7 @@ master_count: "{{ openshift_master_count | default(None) }}" controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}" master_image: "{{ osm_image | default(None) }}" - admission_plugin_config: "{{openshift_master_admission_plugin_config | default(None) }}" + admission_plugin_config: "{{openshift_master_admission_plugin_config }}" kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config oauth_template: "{{ openshift_master_oauth_template | default(None) }}" # deprecated in origin 1.2 / OSE 3.2 oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}" |