diff options
| author | OpenShift Bot <eparis+openshiftbot@redhat.com> | 2017-05-17 11:34:59 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-05-17 11:34:59 -0500 |
| commit | 9c05f942003db63ea40103c6c25cf6bc42658308 (patch) | |
| tree | cd01c9dcbb3b20658f26251f681446526afc90c9 /roles | |
| parent | dbc331f77a08df52088ef72a138b6f4e3f654720 (diff) | |
| parent | dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a (diff) | |
| download | openshift-9c05f942003db63ea40103c6c25cf6bc42658308.tar.gz openshift-9c05f942003db63ea40103c6c25cf6bc42658308.tar.bz2 openshift-9c05f942003db63ea40103c6c25cf6bc42658308.tar.xz openshift-9c05f942003db63ea40103c6c25cf6bc42658308.zip | |
Merge pull request #4199 from smarterclayton/set_image_policy
Merged by openshift-bot
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/openshift_master_facts/defaults/main.yml | 22 | ||||
| -rw-r--r-- | roles/openshift_master_facts/tasks/main.yml | 2 |
2 files changed, 23 insertions, 1 deletions
diff --git a/roles/openshift_master_facts/defaults/main.yml b/roles/openshift_master_facts/defaults/main.yml index f1cbbeb2d..a80313505 100644 --- a/roles/openshift_master_facts/defaults/main.yml +++ b/roles/openshift_master_facts/defaults/main.yml @@ -1,2 +1,24 @@ --- openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}" +openshift_master_admission_plugin_config: + openshift.io/ImagePolicy: + configuration: + kind: ImagePolicyConfig + apiVersion: v1 + # To require that all images running on the platform be imported first, you may uncomment the + # following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it + # unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that + # digest has been imported via the import-image flow. + #resolveImages: Required + executionRules: + - name: execution-denied + # Reject all images that have the annotation images.openshift.io/deny-execution set to true. + # This annotation may be set by infrastructure that wishes to flag particular images as dangerous + onResources: + - resource: pods + - resource: builds + reject: true + matchImageAnnotations: + - key: images.openshift.io/deny-execution + value: "true" + skipOnResolutionFailure: true diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index f048e0aef..79f054b42 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -92,7 +92,7 @@ master_count: "{{ openshift_master_count | default(None) }}" controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}" master_image: "{{ osm_image | default(None) }}" - admission_plugin_config: "{{openshift_master_admission_plugin_config | default(None) }}" + admission_plugin_config: "{{openshift_master_admission_plugin_config }}" kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config oauth_template: "{{ openshift_master_oauth_template | default(None) }}" # deprecated in origin 1.2 / OSE 3.2 oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}" |