1 package v1 2 3 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 4 5 // +genclient 6 // +genclient:nonNamespaced 7 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 8 9 // Image governs policies related to imagestream imports and runtime configuration 10 // for external registries. It allows cluster admins to configure which registries 11 // OpenShift is allowed to import images from, extra CA trust bundles for external 12 // registries, and policies to block or allow registry hostnames. 13 // When exposing OpenShift's image registry to the public, this also lets cluster 14 // admins specify the external hostname. 15 // 16 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 17 // +openshift:compatibility-gen:level=1 18 type Image struct { 19 metav1.TypeMeta `json:",inline"` 20 21 // metadata is the standard object's metadata. 22 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 23 metav1.ObjectMeta `json:"metadata,omitempty"` 24 25 // spec holds user settable values for configuration 26 // +kubebuilder:validation:Required 27 // +required 28 Spec ImageSpec `json:"spec"` 29 // status holds observed values from the cluster. They may not be overridden. 30 // +optional 31 Status ImageStatus `json:"status"` 32 } 33 34 type ImageSpec struct { 35 // allowedRegistriesForImport limits the container image registries that normal users may import 36 // images from. Set this list to the registries that you trust to contain valid Docker 37 // images and that you want applications to be able to import from. Users with 38 // permission to create Images or ImageStreamMappings via the API are not affected by 39 // this policy - typically only administrators or system integrations will have those 40 // permissions. 41 // +optional 42 AllowedRegistriesForImport []RegistryLocation `json:"allowedRegistriesForImport,omitempty"` 43 44 // externalRegistryHostnames provides the hostnames for the default external image 45 // registry. The external hostname should be set only when the image registry 46 // is exposed externally. The first value is used in 'publicDockerImageRepository' 47 // field in ImageStreams. The value must be in "hostname[:port]" format. 48 // +optional 49 ExternalRegistryHostnames []string `json:"externalRegistryHostnames,omitempty"` 50 51 // additionalTrustedCA is a reference to a ConfigMap containing additional CAs that 52 // should be trusted during imagestream import, pod image pull, build image pull, and 53 // imageregistry pullthrough. 54 // The namespace for this config map is openshift-config. 55 // +optional 56 AdditionalTrustedCA ConfigMapNameReference `json:"additionalTrustedCA"` 57 58 // registrySources contains configuration that determines how the container runtime 59 // should treat individual registries when accessing images for builds+pods. (e.g. 60 // whether or not to allow insecure access). It does not contain configuration for the 61 // internal cluster registry. 62 // +optional 63 RegistrySources RegistrySources `json:"registrySources"` 64 } 65 66 type ImageStatus struct { 67 68 // internalRegistryHostname sets the hostname for the default internal image 69 // registry. The value must be in "hostname[:port]" format. 70 // This value is set by the image registry operator which controls the internal registry 71 // hostname. For backward compatibility, users can still use OPENSHIFT_DEFAULT_REGISTRY 72 // environment variable but this setting overrides the environment variable. 73 // +optional 74 InternalRegistryHostname string `json:"internalRegistryHostname,omitempty"` 75 76 // externalRegistryHostnames provides the hostnames for the default external image 77 // registry. The external hostname should be set only when the image registry 78 // is exposed externally. The first value is used in 'publicDockerImageRepository' 79 // field in ImageStreams. The value must be in "hostname[:port]" format. 80 // +optional 81 ExternalRegistryHostnames []string `json:"externalRegistryHostnames,omitempty"` 82 } 83 84 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 85 86 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 87 // +openshift:compatibility-gen:level=1 88 type ImageList struct { 89 metav1.TypeMeta `json:",inline"` 90 91 // metadata is the standard list's metadata. 92 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 93 metav1.ListMeta `json:"metadata"` 94 95 Items []Image `json:"items"` 96 } 97 98 // RegistryLocation contains a location of the registry specified by the registry domain 99 // name. The domain name might include wildcards, like '*' or '??'. 100 type RegistryLocation struct { 101 // domainName specifies a domain name for the registry 102 // In case the registry use non-standard (80 or 443) port, the port should be included 103 // in the domain name as well. 104 DomainName string `json:"domainName"` 105 // insecure indicates whether the registry is secure (https) or insecure (http) 106 // By default (if not specified) the registry is assumed as secure. 107 // +optional 108 Insecure bool `json:"insecure,omitempty"` 109 } 110 111 // RegistrySources holds cluster-wide information about how to handle the registries config. 112 type RegistrySources struct { 113 // insecureRegistries are registries which do not have a valid TLS certificates or only support HTTP connections. 114 // +optional 115 InsecureRegistries []string `json:"insecureRegistries,omitempty"` 116 // blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. 117 // 118 // Only one of BlockedRegistries or AllowedRegistries may be set. 119 // +optional 120 BlockedRegistries []string `json:"blockedRegistries,omitempty"` 121 // allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. 122 // 123 // Only one of BlockedRegistries or AllowedRegistries may be set. 124 // +optional 125 AllowedRegistries []string `json:"allowedRegistries,omitempty"` 126 // containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified 127 // domains in their pull specs. Registries will be searched in the order provided in the list. 128 // Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. 129 // +optional 130 // +kubebuilder:validation:MinItems=1 131 // +kubebuilder:validation:Format=hostname 132 // +listType=set 133 ContainerRuntimeSearchRegistries []string `json:"containerRuntimeSearchRegistries,omitempty"` 134 } 135