blob: a8031350568fc893ef2df2d6fdbf8d2d9419ae4c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
---
openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}"
openshift_master_admission_plugin_config:
openshift.io/ImagePolicy:
configuration:
kind: ImagePolicyConfig
apiVersion: v1
# To require that all images running on the platform be imported first, you may uncomment the
# following rule. Any image that refers to a registry outside of OpenShift will be rejected unless it
# unless it points directly to an image digest (myregistry.com/myrepo/image@sha256:ea83bcf...) and that
# digest has been imported via the import-image flow.
#resolveImages: Required
executionRules:
- name: execution-denied
# Reject all images that have the annotation images.openshift.io/deny-execution set to true.
# This annotation may be set by infrastructure that wishes to flag particular images as dangerous
onResources:
- resource: pods
- resource: builds
reject: true
matchImageAnnotations:
- key: images.openshift.io/deny-execution
value: "true"
skipOnResolutionFailure: true
|