From dcd285f410de6ae1a32a25b9287ef8f9d3d7e97a Mon Sep 17 00:00:00 2001
From: Clayton Coleman <ccoleman@redhat.com>
Date: Mon, 15 May 2017 21:46:04 -0400
Subject: Default image policy on new clusters to on

Will allow for default image resolution to be used.
---
 roles/openshift_master_facts/defaults/main.yml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'roles/openshift_master_facts/defaults')

diff --git a/roles/openshift_master_facts/defaults/main.yml b/roles/openshift_master_facts/defaults/main.yml
index f1cbbeb2d..a80313505 100644
--- a/roles/openshift_master_facts/defaults/main.yml
+++ b/roles/openshift_master_facts/defaults/main.yml
@@ -1,2 +1,24 @@
 ---
 openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}"
+openshift_master_admission_plugin_config:
+  openshift.io/ImagePolicy:
+    configuration:
+      kind: ImagePolicyConfig
+      apiVersion: v1
+      # To require that all images running on the platform be imported first, you may uncomment the
+      # following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it
+      # unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that
+      # digest has been imported via the import-image flow.
+      #resolveImages: Required
+      executionRules:
+      - name: execution-denied
+        # Reject all images that have the annotation images.openshift.io/deny-execution set to true.
+        # This annotation may be set by infrastructure that wishes to flag particular images as dangerous
+        onResources:
+        - resource: pods
+        - resource: builds
+        reject: true
+        matchImageAnnotations:
+        - key: images.openshift.io/deny-execution
+          value: "true"
+        skipOnResolutionFailure: true
-- 
cgit v1.2.1