summaryrefslogtreecommitdiffstats
path: root/roles/openshift_master_facts
diff options
context:
space:
mode:
authorOpenShift Bot <eparis+openshiftbot@redhat.com>2017-05-17 11:34:59 -0500
committerGitHub <noreply@github.com>2017-05-17 11:34:59 -0500
commit9c05f942003db63ea40103c6c25cf6bc42658308 (patch)
treecd01c9dcbb3b20658f26251f681446526afc90c9 /roles/openshift_master_facts
parentdbc331f77a08df52088ef72a138b6f4e3f654720 (diff)
parentdcd285f410de6ae1a32a25b9287ef8f9d3d7e97a (diff)
downloadopenshift-9c05f942003db63ea40103c6c25cf6bc42658308.tar.gz
openshift-9c05f942003db63ea40103c6c25cf6bc42658308.tar.bz2
openshift-9c05f942003db63ea40103c6c25cf6bc42658308.tar.xz
openshift-9c05f942003db63ea40103c6c25cf6bc42658308.zip
Merge pull request #4199 from smarterclayton/set_image_policy
Merged by openshift-bot
Diffstat (limited to 'roles/openshift_master_facts')
-rw-r--r--roles/openshift_master_facts/defaults/main.yml22
-rw-r--r--roles/openshift_master_facts/tasks/main.yml2
2 files changed, 23 insertions, 1 deletions
diff --git a/roles/openshift_master_facts/defaults/main.yml b/roles/openshift_master_facts/defaults/main.yml
index f1cbbeb2d..a80313505 100644
--- a/roles/openshift_master_facts/defaults/main.yml
+++ b/roles/openshift_master_facts/defaults/main.yml
@@ -1,2 +1,24 @@
---
openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}"
+openshift_master_admission_plugin_config:
+ openshift.io/ImagePolicy:
+ configuration:
+ kind: ImagePolicyConfig
+ apiVersion: v1
+ # To require that all images running on the platform be imported first, you may uncomment the
+ # following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it
+ # unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that
+ # digest has been imported via the import-image flow.
+ #resolveImages: Required
+ executionRules:
+ - name: execution-denied
+ # Reject all images that have the annotation images.openshift.io/deny-execution set to true.
+ # This annotation may be set by infrastructure that wishes to flag particular images as dangerous
+ onResources:
+ - resource: pods
+ - resource: builds
+ reject: true
+ matchImageAnnotations:
+ - key: images.openshift.io/deny-execution
+ value: "true"
+ skipOnResolutionFailure: true
diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml
index f048e0aef..79f054b42 100644
--- a/roles/openshift_master_facts/tasks/main.yml
+++ b/roles/openshift_master_facts/tasks/main.yml
@@ -92,7 +92,7 @@
master_count: "{{ openshift_master_count | default(None) }}"
controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}"
master_image: "{{ osm_image | default(None) }}"
- admission_plugin_config: "{{openshift_master_admission_plugin_config | default(None) }}"
+ admission_plugin_config: "{{openshift_master_admission_plugin_config }}"
kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config
oauth_template: "{{ openshift_master_oauth_template | default(None) }}" # deprecated in origin 1.2 / OSE 3.2
oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}"