Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Red Hat OpenShift provides an integrated container image registry so you can automatically provision new image repositories on demand. By using this registry, you get a built-in location for your application builds to push the resulting images.
In this article, you configure the built-in container image registry for an Azure Red Hat OpenShift 4 cluster. You learn how to:
- Authorize an identity to access to the registry
- Access the built-in container image registry from inside the cluster
- Access the built-in container image registry from outside the cluster
Before you begin
This article assumes you have an existing cluster (see Create an Azure Red Hat OpenShift 4 cluster). If you want to configure Microsoft Entra integration, make sure to create the cluster with the --pull-secret argument to az aro create.
Tip
Configuring Microsoft Entra authentication for your cluster is the easiest way to interact with the internal registry from outside the cluster.
After you have your cluster, connect to the cluster by authenticating as the kubeadmin user.
Configure authentication to the registry
To access the internal registry, you must grant permissions inside the cluster to any identity, such as a cluster user, a Microsoft Entra user, or an Azure Red Hat OpenShift service account.
As kubeadmin, run the following commands:
# Note: replace "<user>" with the identity you need to access the registry
oc policy add-role-to-user -n openshift-image-registry registry-viewer <user>
oc policy add-role-to-user -n openshift-image-registry registry-editor <user>
Note
For cluster users and Microsoft Entra users, this name is the same name you use to authenticate into the cluster. For Azure Red Hat OpenShift service accounts, format the name as system:serviceaccount:<project>:<name>.
Access the registry
After you configure authentication for the registry, you can interact with it. The following sections provide more details.
From inside the cluster
Suppose you're running a continuous integration and continuous delivery (CI/CD) platform as pods that push and pull images to and from the registry. If you need to access the registry from inside the cluster, you can access the registry via its cluster IP service at the fully qualified domain name image-registry.openshift-image-registry.svc.cluster.local:5000. All pods within the cluster can access this registry.
From outside the cluster
Suppose you want to push and pull images from a developer's laptop, external CI/CD platform, or a different cluster. If your workflows require that you access the internal registry from outside the cluster, you need to complete a few more steps.
As kubeadmin, run the following commands to expose the built-in registry outside the cluster via a route:
oc patch config.imageregistry.operator.openshift.io/cluster --patch='{"spec":{"defaultRoute":true}}' --type=merge
oc patch config.imageregistry.operator.openshift.io/cluster --patch='[{"op": "add", "path": "/spec/disableRedirect", "value": true}]' --type=json
You can then find the registry's externally routable fully qualified domain name:
As kubeadmin, run:
oc get route -n openshift-image-registry default-route --template='{{ .spec.host }}'