Bug 1307210

Summary: [DOCS] [3.2] Document whitelisting of Docker Registries
Product: OpenShift Container Platform Reporter: Vikram Goyal <vigoyal>
Component: DocumentationAssignee: Timothy <tpoitras>
Status: CLOSED CURRENTRELEASE QA Contact: Wei Sun <wsun>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: high    
Version: 3.1.0CC: amurdaca, aos-bugs, dwalsh, jokerman, jtudelag, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-17 01:40:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2016-03-15   

Description Vikram Goyal 2016-02-13 05:07:19 UTC
In OSE 3.2, it is possible to whitelist docker registries for downloading images and templates and to restrict access to ONLY these registries. All other registries are denied access to. 

Describe:
-- what is the use case for whitelisting docker registries
-- how can the user specify whitelisted registries
-- what happens if the user tries to access an image or template from a denied registry
-- Provide examples

Upstream Trello card is:
https://trello.com/c/kgLCe6mN/101-ability-to-specify-a-whitelist-of-docker-registries

Dev for this feature is:
Dan Walsh

QA for this feature is:
Wei Sun

Likely Guide is:
https://docs.openshift.com/enterprise/3.1/install_config/install/docker_registry.html

Comment 1 Daniel Walsh 2016-03-02 22:07:57 UTC
We can talk about this from an docker point of view but not a Openshift point of view.  

Basically you can add an option to /etc/sysconfig/docker to block-registries.  If you want to block all registries you would add

--block-registries=all

Now you would add registires that you would like to allow.

--add-registry=redhat.io --add-registry=acme.com

If a user tries to pull from docker.io/ubuntu  He should get an error message stating that this is not an allowed registry.

Comment 2 Timothy 2016-03-15 05:19:15 UTC
https://github.com/openshift/openshift-docs/pull/1742

Submitted docs PR. Tagged Daniel Walsh for tech review.

Comment 4 Timothy 2016-03-16 23:39:12 UTC
https://github.com/openshift/openshift-docs/pull/1742 

Dan Walsh passed tech review duties along to Antonio Murdaca, thank you.

Moved along to peer review now.

Comment 5 Timothy 2016-03-22 00:09:58 UTC
Peer review also complete with notes from Brice & Thien-Thi.

Docs PR merged. 

Moving this to RELEASE_PENDING.