diff options
author | Clayton Coleman <ccoleman@redhat.com> | 2017-05-15 21:46:04 -0400 |
---|---|---|
committer | Clayton Coleman <ccoleman@redhat.com> | 2017-05-15 22:38:42 -0400 |
commit | dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a (patch) | |
tree | 0a194dc69b212d44076c9445186677771483acbc /roles/openshift_master_facts/defaults | |
parent | 15fd42020a0b5fee665c45cd23b9ba3bd152251d (diff) | |
download | openshift-dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a.tar.gz openshift-dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a.tar.bz2 openshift-dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a.tar.xz openshift-dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a.zip |
Default image policy on new clusters to on
Will allow for default image resolution to be used.
Diffstat (limited to 'roles/openshift_master_facts/defaults')
-rw-r--r-- | roles/openshift_master_facts/defaults/main.yml | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/roles/openshift_master_facts/defaults/main.yml b/roles/openshift_master_facts/defaults/main.yml index f1cbbeb2d..a80313505 100644 --- a/roles/openshift_master_facts/defaults/main.yml +++ b/roles/openshift_master_facts/defaults/main.yml @@ -1,2 +1,24 @@ --- openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}" +openshift_master_admission_plugin_config: + openshift.io/ImagePolicy: + configuration: + kind: ImagePolicyConfig + apiVersion: v1 + # To require that all images running on the platform be imported first, you may uncomment the + # following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it + # unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that + # digest has been imported via the import-image flow. + #resolveImages: Required + executionRules: + - name: execution-denied + # Reject all images that have the annotation images.openshift.io/deny-execution set to true. + # This annotation may be set by infrastructure that wishes to flag particular images as dangerous + onResources: + - resource: pods + - resource: builds + reject: true + matchImageAnnotations: + - key: images.openshift.io/deny-execution + value: "true" + skipOnResolutionFailure: true |