►
Description
This episode we are joined by Andrew Block to discuss the purpose of container registries in OpenShift and some of the pros/cons of different options, including the built-in OpenShift registry, external on-prem registries such as Quay, and 3rd party hosted registries. If you’re curious about how to deploy and manage the OpenShift registry, and some best practices, this show will be right for you!
A
Good
morning,
good
evening,
good
afternoon,
wherever
you're
hearing
from
welcome
to
another
episode
of
the
openshift
administrator
office
hours,
I
am
chris
short
executive
producer
of
this
thing.
We
call
open
shift
tv.
I
am
joined
today
by
two
of
my
fellow
red
hatters,
the
just
incredibly
brilliant
andrew
block
and
the
cuddly
curmudgeon
andrew
sullivan.
So
we
have
two
andrews
on
the
call,
so
this
will
be
fun
and
interesting,
and
today
we
are
talking
about
what
mr
sullivan.
B
Yeah
so
today
I
asked
mr
block
to
join
us
to
talk
about
registries.
Specifically,
what
are
the
registry
options
inside
of
openshift?
B
B
But
that
being
said,
registries
are
our
topic
for
today.
So,
mr
block,
if
you
don't
mind,
please
introduce
yourself:
who
are
you
and
what?
What
do
you
do
as.
C
And
what
do
you
do?
Well,
I
was
afraid
I
wasn't
going
to
be
able
to
be
let
in
because
normally
I
join
on
the
developer
side.
This
is
one
of
my
first
ones
on
the
administrator's
side.
I
do
a
lot
of
get
off
stuff
and
we
did
some
sessions
with
the
developer
console
customization.
This
is
one.
That's
really
focused
on
the
administrators
side
of
the
house.
So
thanks
again,
andrew
for
inviting
me
on
chris
once
again
for
making
me
wonderful
joining
you
here.
I
know
many
talents.
C
B
B
So
I
know
that
there
are
a
couple
of
open
support
cases.
There
are
a
couple
of
open
bzs
on
how
to
resolve
that.
So
I
did
respond
to
that
person.
But
if
you
have
any
questions
about
that,
please
feel
free
to
reach
out
so
andy.
I
saw
you
your
head
there.
So
last
week
we
talked
a
little
bit
about
and
it
was
a
result
of
a
couple
of
threads
that
we
were
having
internally
around.
B
You
might
be
able
to
work
around
that
by
sshinging
to
the
node
and
doing
something
like
a
hostname
control
set
right
to
set
the
hostname
or
even
populating
etsy
hostname,
but
that
of
course,
is
not
scalable
and
not
sustainable.
You
know
long
term,
it
kind
of
defeats
a
lot
of
the
purpose
of
ipi.
B
So
the
other
thing
that
I
wanted
to
follow
up
on
is
somebody
last
week
also
asked
about
the
disconnected
side
and
they
followed
up
with
me
via
email.
So,
yes,
we
did
sort
of
abruptly.
B
We
got
to
the
point
of
doing
the
disconnected
olm
mirroring
for
red
hat
operators,
and
then
I
I
cut
that
and
jumped
over
to
the
update
manager,
because
I
wanted
to
talk
about
the
update
service,
so
I
will
follow
up
with
a
blog
post
on
how
specifically
to
do
that,
so
that
content
that
we
had
planned
of,
let
me
prune
the
index
image
and
then
only
mirror
a
subset
of
those
images,
so
I'll
follow
up
with
a
blog
post
I'll
get
that
into
the
queue
I
don't
know
when
it'll
actually
get
published,
but
we'll
get
that
that
content
out
there.
B
C
B
A
A
C
Scalable
and
a
number
of
other
challenges,
but
so
you
don't
need
a
registry.
You
probably
will
use
a
public
registry
like
io
docker
hub,
you
name
it
or
you
might
have
like
for
most
of
my
customers.
They
will
have
their
own
enterprise
registry.
C
B
Right
yeah,
so
I
think
that's
a
good
one
right
of
whether
or
not
you
know
you're
using
a
registry,
you
know
as
an
administrator,
it's
not
something
we
often
think
about,
because
you
know
we
typically
leave
it
to
the
developers
right.
The
application
teams
of
hey
I'm
producing
code,
I'm
producing
application
components.
I
need
to
build
my
container
image.
I
need
to
store
it
somewhere
so
that
when
I
deploy
the
application
right,
I
can
pull
that
image
in
and
be
able
to
use
it.
But
reality
is
we.
We
do
right.
B
Every
time
you
deploy
openshift
you're
using
a
registry
right,
it
pulls
everything
in
openshift,
all
of
the
openshift
services,
components,
etc,
are
deployed
as
containers
themselves,
so
you
you're
absolutely
taking
advantage
of
that.
So,
let's,
let's
talk
about
the
openshift
registry
itself,
so
openshift
has
a
registry
right
and
that
is
not
the
same
as
quay
right.
So,
let's,
let's
differentiate
here,
there's.
C
C
The
openshift
version
is
a
very
lightweight
image
registry,
but
it
does
have
a
number
of
key
functions
that
are
really
built
for
openshift
one.
It
has
our
back
support
by
default,
already
integrated
to
openshift.
That
is
crucial.
Two.
This
is
concept
in
openshift
called
an
image
stream,
which
is
basically
a
virtual
representation
of
where
images
are
sourced
from
they
can
be
sourced
from
the
internal
registry.
They
can
be
sourced
from
external
registry
they're.
B
C
C
C
Hours
create
a
create
a
name
and
stream,
and
when
you
complete
anytime,
you
push
to
the
registry
that
integration
between
the
internal
registry
and
the
image
stream
is
automatic.
It
will
automatically
create
a
tag
on
that
image
stream.
B
Okay,
so
image
streams
used
by
application
teams
right,
as
I'm
gonna
say
as
a
constantly
updated
source
for
a
particular
image.
Is
that
accurate?
Basically,
I
say
I
want
to
use
this
image
stream
as
my
base
image
as
my
underlying
image
and
any
time
whatever
the
source
of
that
amendment
stream
is
gets
updated.
The
image
stream
is
also
updated
and
if
I'm
using
builds
as
the
application
team,
it'll
automatically
trigger
a
new
build,
and
if
I
have
the
deployments
or
you
know
the
rollout
scheduled
and
everything
there.
C
What
is
very
important
here
is
the
image
stream
will
only
get
updated
automatically
if
you
are
using
the
internal
registry.
So
if
you
have
image
stream
that
points
to
an
external
registry,
it
will
not
be
updated.
You
can
schedule
that
action
or
you
can
manually
trigger
that,
but
that's
a
big
thing
that
trips,
a
lot
of
my
customers
up
a
lot
of
users
of
openshift
is
I
go
ahead.
Push
an
image
to
quit
at
I
o.
B
B
Yeah,
so
the
internal
registry,
so
what
we
call
the
openshift
registry
and
if
you
were
to
look
at
like
if
you
were
to
do
an
oc
co
right,
the
one
that
shows
up
as
registry
is
is
what
we're
talking
about
here,
right
yep.
So
how
does
and
and
I'm
kind
of
starting
at
the
base
here,
because
I
feel
like
this
is
one
that's
particularly
if
we're
talking
on-prem,
it
gets
overlooked
a
lot
because,
most
of
the
time,
it's
not
deployed
by
default
right,
on-premises.
C
Actually
a
lot
of
times
we
do,
we
do
deploy
it
because
we
don't
have
to
involve
any
external
teams.
That's
one
of
the
benefits
of
openshift
is
that
self-service
capability?
You
can
just
deploy
an
image,
build
it.
You
name
it.
If
you
have
to
integrate
with
an
external
registry,
you
have
to
maybe
get
credentials
set
up.
You
need
to
do
passwords
accounts,
there's
a
lot
of
additional
setup
that
you
need
to
do.
That
slows
things
down
because
a
lot
of
organizations
I
do
work
with.
You
still
have
to
work
with
another
team.
C
C
B
So,
let's
I'm
going
to
take
advantage
of
of
that
segway.
So
let's
talk
about
storage
for
the
registry.
B
So
if
you
look
in
the
documentation,
let
me
share
my
screen
real
quick
here:
where's
the
button
there's
the
button
and
for
those
of
you
watching
at
home
you,
you
notice
that
I'm
in
a
different
office
today
everything's
slightly
rearranged.
So
I'm
also
slightly
discombobulated.
D
A
B
B
So
if
you
look
through
the
through
the
documentation
here-
and
I
should
have
found
the
page
beforehand-
so
I'm
not
left
scrolling
here
on
stream,
there
are
a
number
of
different
storage
options
available
for
you,
so
the
big
three
and
I'll
distill
it
down
into
really
the
three
protocols
right.
There's
file,
there's
block
and
there's
object.
B
C
So
a
couple
different
reasons,
one
I'll
say
it
so
many
times
don't
do
file.
Don't
do
files
don't
do
file.
You
will
run
into
so
many
challenges,
so
many
challenges
so
many
challenges
if
you're
using
quay
enterprise
file
is
not
supported.
You
can't
hook
up
a
persistent
volume
and
assume
that
it
works.
Only
object.
Storage
is
supported.
One
of
the
benefits
of
object
storage
is
that
you
can
have.
You
can
hook
multiple
instances
to
it.
C
The
problem
with
block
is,
you
can
only
typically
have
one
attachment
at
a
time,
so
you
cannot
have
it
highly
available.
That
is
so.
Basically,
if
you're
doing
any
registry
storage
grab
a
object,
storage,
one
of
the
best
best
options
out
there
is
openshift
container
storage,
which
has
an
object
endpoint,
which
you
can
hook
up
very
easily.
B
Yeah
and
I'll
also
offer
so
usually
the
way
I
describe
it.
The
short
version
is
block
is
fine
so
long
as
you
only
need
one
registry
instance
right
you,
you
can't
scale
it.
You
only
get
one
because
you
can
only
have
one
instance
access
that
that
pvc
at
a
time
file
is
file.
You
have
to
be
careful
with
right,
as
you
said,
there's
a
lot
of
sharp
edges
that
you
can
accidentally
encounter.
B
So
knowing
that
there
is
a
lot
of
background
there.
If
you
look
in
the
documentation
and
and
I'll
dig
it
up
and
post
the
link.
But
if
you
look
in
the
documentation,
we
specifically
say
that
we
strongly
discourage
the
use
of
the
rel
nfs
server
for
the
for
file
storage.
B
However,
many
of
our
storage
partners,
they
will
say
that
it's
perfectly
fine
to
use
file
storage.
For
you
know
multiple
access
for
highly
available
right,
multiple
registry
instances
pointing
at
that
same
piece
of
storage,
so
just
work
with
your
storage
partner
right
netapp
is
one
that
they
they
say
absolutely
use.
Nfs
all
day
long
it'll
be
great,
no
matter
how
many
instances
of
the
registry
you
have
deployed
against
it,
just
be
aware
that
from
red
hat
and
specifically
the
rel
in
a
fast
server,
we
don't
suggest
doing
that
and
then
the
last
one
is
object.
B
As
you
said,
object
is
the
one
that's
really
recommended,
especially
at
scale.
One
of
the
things
that
I
thought
was
interesting
and
that
I
I
didn't
learn
until
recently
is
that
the
the
behavior
actually
changes
between
file
and
block
and
object,
and
so
what
happens
is
with
file
and
block.
The
registry
instance
has
to
proxy
access
to
all
of
those
registry
layers
or
image
layers.
So
when
you
say
you
know,
podman
poll
or
you
know,
when
kubernetes
has
to
do
a
poll
of
that
image.
B
The
registry
instance
is
proxying
off
of
that
file
or
block
storage
and
sending
it
to
whatever
that
client
happens
to
be
with
object,
storage.
It
gives
it
a
pointer
to
the
object
in
the
object
store.
So
the
issue
here
or
the
the
thing
is
right.
If
I've
got
a
cluster
of
100
nodes
and
I
deploy
a
pod
across
all
100
nodes,
all
100
nodes
are
simultaneously
going
to
say.
B
Give
me
that
image,
and
if
I
have
one
registry
instance
out
there,
I'm
going
to
now
be
limited
to
the
throughput
of
that
one
registry
instance
for
all
100
nodes,
whereas
with
an
object
store,
I'm
going
to
be
limited
by
the
object
store
which
is
probably
going
to
you
know.
If
we're
talking
like
amazon
s3
or
you
know,
ocs
or
whatever
that
happens
to
be
right,
is
going
to
be
much
more
distributed.
It's
going
to
have
a
much
better,
much
more
robust
architecture
for
that
type
of
pulled
operation.
C
You
also
brought
up
a
really
good
point
there
with
aws,
because
you
know
all
many
many
of
the
default
images
from
openshift
come
from
quite
a
I
o
and
those
are
being
stored
by
aws
s3.
In
the
background,
so
you
need
to
be
confident
about
the
firewall
rules
that
you
have
in
your
corporate
environment,
because
even
though
it's
going
to
credit
io,
it's
actually
getting
sent
to
s3
directly
yeah.
B
Yeah-
and
I
think
we
have
there's
a
kcs
out
there-
that
has
all
of
the
all
of
the
things
that
you
need
to
whitelist
in
order
to
do
that,
so,
okay,
all
right,
I've,
I've
beaten
the
the
storage
thing
to
to
death.
Here
I
will
say,
because
I
was
a
storage
admin
before
sometimes
I
get
asked
about
sizing
storage
for
the
registry.
C
It
comes
down
to
how
many
development
teams
you're
going
to
be
working
with
some
of
my
customers,
they're,
not
building
that
many
images
themselves.
They
are
consuming
commercial
off
the
shelf,
images
that
come
from
partners
or
other
images
that
are
not
in
any
of
the
registry,
so
they
don't
have
to
worry
about
it.
C
D
B
Yeah,
no,
I
and
then
so
again,
coming
from
a
storage
background,
sometimes
we'll
get
asked
well,
what's
the
read
write
mixture
right?
How
many
apps
do
I
need
right
that
type
of
stuff-
and
my
answer
to
that
is
very
much
in
line
with
with
what
you
just
said.
It
entirely
depends
on
your
application
team.
You
know
if
you're,
if
you've
got
a
ci
cd
pipeline
and
you're
doing
you
know
a
thousand
builds
a
day.
B
D
B
Don't
think
I
don't
think,
there's
any
networking
considerations,
anything
like
that
that
we
really
need
to
take
into
account.
I
will
say-
and
I
had
it
up
here
just
a
moment
ago,
so
accessing
the
registry.
This
is
really
about
if
you're
looking
the
docs
are
back
right
and
ensuring
that
we
have
the
right
permissions
in
place.
Exposing
the
registry
is
an
interesting
one,
so
this
is
for
the
internal
registry.
B
How
do
I
enable
external
access
to
that
which
effectively
just
creates
a
route,
so
I
do
want
to
take
a
moment
to
go
through
some
of
the
you
know.
How
do
we
configure?
How
do
we
set
up?
How
do
we
manage
the
registry?
Real
quick,
because,
as
I
said
a
few
minutes
ago,
if
I'm
doing
upi,
then
it's
not
going
to
deploy
the
registry
by
default?
B
B
B
And
we'll
look
at
this
configuring
registry
for
bare
metal
so
essentially
you're
editing.
This
config
object
for
the
registry
instance,
and
primarily
there
are
two
things
that
we
are
concerned
about.
One
is
the
management
state
which
is
basically
telling
the
operator.
Do
you
want
me
to
manage
this,
or
do
you
not
want
me
to
manage
this
there's?
Actually,
three
states.
There
is
completely
remove
the
registry.
B
There
is
completely
manage
the
registry
and
then
there
is
let
it
be
present,
but
don't
don't
mess
with
it
right,
the
the
unmanaged
state,
so
typically,
it
will
either
be
removed
or
managed.
However,
beyond
that
what
we're
looking
at
is-
and
so
they
changed
the
documentation,
we
no
longer
have
the
nice
pretty
listing
inside
of
here
but
beyond.
That
is
configuring,
the
storage
that
you
want
to
use
for
that
particular
registry.
B
So
we
have
this
image
registry,
so
the
image
registry.
This
is
the
actual
image
that's
associated
with
it
and
if
you
were
to
look
at
it
and
they
they
updated
this
again
as
well.
Since
the
last
time
I
looked
at
it
to
be
fair,
it's
been
like
two
months.
This
is
effectively
the
same
as
docker
registry.
You
can
see,
there's
even
some
references
inside
of
here
to
the
way
that
these
things
work,
and
this
is
how
so
the
the
configuration
options
are
going
to
be
the
same
as
for
the
docker
registry.
B
B
B
B
So
effectively
by
configuring
this
right,
if
I
were
to
now
write
this
out
at
that
point,
the
operator
would
take
action
to
go
through
and
reconfigure
the
settings
of
the
image
container-
that's
actually
deployed
inside
of
there.
So
I'm
not
going
to
do
that,
because
I
would
very
obviously
break
my
my
azure
deployed
registry
here
and
if
we
do
an
oc,
get
project
and
grep
for
registry,
you
see,
I
have
the
open
shift
image
registry
I
can
dig
inside
of
here.
B
If
I
look
at
the
pods,
we
have
this
image
registry,
two
image
registry
pods.
So
by
default
with
ipi
and
the
cloud
providers,
it
will
deploy
a
in
a
highly
available
right
two
instances
in
this
in
in
this
case
of
the
registry,
and
if
I
look
inside
of
one
of
these,
so
if
I
do.
B
So
if
I
jump
inside
of
here,
there
is
the
same
configuration
files
that
I'm
used
to.
So
I
gotta
look
in
the
right
place,
though
so
I
have
this
config.yml,
so
if
you've
ever
managed,
if
you've
ever
you
know
used
the
docker
registry,
this
is
the
configuration
file
for
that
and
you
can
see.
We've
extended
it
some
with
this
open
shift
stuff
and
all
that.
B
B
So
just
to
be
clear,
that's
that's
how
we
actually
do
all
of
that
stuff.
So
up
here
is
our
storage.
You
can
see
all
the
storage
configuration
that
we
have
inside
of
here,
what
to
use
for
it,
how
to
connect
to
it.
All
of
that
would
be
put
in
place
by
the
operator
not
by
us,
going
in
and
managing
it
manually,
andy
chris.
Anything
to
to
add
there.
C
No
yeah
everything
making
sure
not
to.
I
actually
had
a
colleague
of
mine
yesterday
manually
modify
some
configurations
for
the
registry
and
actually
was
also
for
the
router
and
they
were
like
well.
Why
is
this?
They
actually
manually
managed
the
deployment
associated
to
it.
They
were
trying
to
set
a
new
selector,
I'm
like
no,
no,
no,
no,
let's
go
take
a
step
back
and
talk
about
how
openshift
has
managed
everything
through
operators
there's
an
operator
that
manages
the
registry
and
the
router.
B
Yeah,
that's
a
good
point,
so
the
registry
is
an
infrastructure
workload
as
well,
so
it
is
eligible
to
be
deployed
to
infranodes
and
take
advantage
of
all
of
the
licensing
benefits,
etc.
There.
So.
B
C
Yep,
that's
basically
what
I
do
as
well.
Definitely
toleration,
because
we
try
for
two
reasons
when
we
do
not
want
to
have
our
infrastructure
resources
be
constrained,
but
also
it's
a
licensing
concern
because,
like
infrastructure
nodes
are
included
with
subscription,
so
that
keeps
all
keeps
everyone
status
quo
in
terms
of.
B
Yeah,
the
the
rule
of
or
the
way
I
remember
it
is
taints
repel
workloads.
B
Unless
you
specifically
tolerate
it,
it
basically
pushes
it
away.
So
that's
what
we
want
with
infranodes.
That's
what
you
want
with
special
resource
considerations,
so
gpus
stuff,
like
that,
you
don't
want
your!
You
know,
you
don't
want
to
waste
cpu
and
memory
resources
on
a
non-gpu
workload
on
a
gpu
node.
You
want
to
dedicate
those
okay,
so
openshift
registry,
the
the
internal,
the
default
registry,
that's
deployed
alongside
openshift,
that's
managed
as
a
part
of
one
of
the
default
cluster
operators.
That's
what
we've
been
looking
at.
B
So
far
to
your
point,
you
probably
see
a
lot
more
of
these.
I
would
say
that
the
the
number
of
customers
who
ultimately
deploy
this
registry
is
very,
very
high
right.
It
may
not
be
deployed
on
day
one
right
right
after
openshift
install
finishes,
deploying
especially
if
you're
doing
a
upi
or
a
bare
metal
install,
but
it's
almost
universally
used
right
for
for
a
number
of
different
reasons.
C
One
of
the
biggest
use
cases
that
I
use
is
actually
being
a
cache
because
you
can
have
have
it
run
as
a
pull
cache,
so
you're
not
dependent
on
an
external
registry.
So
if
you
are
using
docker
dot
io
as
your
image
registry,
you
use
the
image,
pull
cache
and
you
can
get
around
the
pane
when
it
comes
to
some
of
the
rate
limiting
that
they're.
If
they're
implementing.
B
C
Is
configured
by
default?
So
if
you
set
an
image
stream
up
by
default
and
have
it
reference
an
external
registry,
it
will
automatically
pull
it
into
the
internal
registry
and
then
serve
out
of
there
very
cool,
because
when
you,
when
you
deploy
an
image
or
a
deployment
that
references,
an
image
stream,
it
always
points
to
the
internal
registry.
B
Okay
good
to
know,
thank
you
so
the
the
last
thing
that
I'll
say
about
the
internal
registry
or
the
default
registry
before
we
move
on
how
do
we
configure
or
configuring
for
insecure
registries
and
and
other
type
of
scenarios
which
is
non-obvious,
but
so
it's
tangential,
non-obvious,
but
very
much
related
of
how
do
I
get
access
to
my
registries
or
to
my
container
images?
That's,
maybe
local
or
or
maybe
image
streamed.
Even
and
how
do
I
tell
openshift
to
allow
that
so
again,
I
should
go
ahead.
C
So
let
me
just
talk
about
the
internal
registry,
because
that
we
can
just
get
rid
of
that
because
for
that,
it's
all
our
back
through
openshift,
so
that
makes
life
a
lot
easier,
also
uses
the
certificate
that
openshift
generates
by
default.
So
all
the
nodes,
trust
that
image
and
also
very
interestingly,
the
and
I've
been
playing
around
with
this.
The
dns
operator
has
an
explicit
configuration.
C
B
Either
so
I
just
posted
a
link
to
the
registry
docs.
I
also
brought
up
a
second
page
here,
so
this
is
the
wait.
Where
did
you
paste
a
link
into
youtube.
B
Yeah
so
yeah,
I
have
youtube
up
and
you
recently.
B
Twitch
into
youtube,
but
not
from
youtube
into
twitch,
so
just
fyi
understand.
So
the
second
page
that
I
brought
up
here
is
the
image
configuration
resources
page
I'll
post
this
one
into
into
twitch,
since
twitch
seems
to
be
going
to
youtube,
but
not
the
other
way
around.
B
I'm
trying
to
make
a
habit
of
posting
into
youtube
because
youtube
has
a
200
character
limit,
whereas
twitch
doesn't
so
when
we,
when
we
chat
in
twitch,
sometimes
not
all
of
the
message
makes
it
into
youtube.
B
So
just
be
aware
of
this
page,
I'm
not
going
to
go
in
depth
on
this
particular
page.
Here
you
can
see
if
we
scroll
down
far
enough
apologies
for
scrolling
on
stream.
If
I
want
to
block
a
registry,
this
is
an
important
one.
You
know
I
I
we
don't
want
to
use
docker
dockers
registry,
because
you
know
we're
we're,
always
throttled
right.
They
throttle
by
ip.
Sometimes
you
know
if
all
of
your
internet
traffic
goes
through
one
proxy.
It's
always
throttled.
Therefore,
you
know
stuff
like
that.
B
B
This
is
how
you
would
add
that
insecure
registry.
In
there
note,
however,
if
you
update
that
it
will
trigger
the
nodes
to
reboot,
because
we
we
still
have
to
update
that
config
right
on
the
nodes
to
allow
the
nodes
to
so.
If,
when
you
update
this,
it
will
trigger
machine
config
to
reboot
your
nodes,
according
to
whatever
the
machine
config
pools
policy
is
okay,
so
32
minutes
in
let's
talk
about
quay
and
quay.io
so
andy,
I
you
are
far
more
of
an
expert
on
this
than
I
am.
I
am
cognizant
of
quay.
B
C
Code
base,
which
is
good,
there,
really
is
no
difference,
but
the
benefit
is
you
become
the
sme?
You
now
have
control
acquitted,
I
o
in
your
environment,
so
all
the
best
parts
about
quay
you
now
have
inside
your
environment.
You
can
go
ahead
and
set
up.
You
know,
authentication
our
back
policies,
organizational
structures,
very
much
the
same
thing
that
you
have
with
coyote.
I
o
you
now
can
take
advantage
of
yourself
and
all
the
the
replication
capabilities
and
geo
replication
and
scalability
options
that
queda
I
o
provides.
C
Advanced
autoback
policies,
organizational
components
that
are
off
tuned
into.
Basically,
it
makes
it
so
you
aren't
aligned
to
the
openshift
world
because
the
internal
the
internal
registry
is
aligned
to
openshift.
You
have
to
have
you
have
to
have
a
user
account
or
a
service
account
to
be
able
to
access
it.
There
is
no
user
interface
for
the
open
fit
registry
aside
from
open,
open
console.
So
if
you
want
to
have
that
was
removed
with
four
right
right,
there
was
kind
of
a
very
lightweight
console
that
was
provided
in
three.
That
was
as
andrew.
C
Not
everyone
should
have
access
to
open
chips
so
to
io,
provides
that
nice
visibility
for
your
organization,
because
I
can
go
and
send
a
link
to
my
cio
and
say
hey.
This
image
is
out
there
here
here
it
is
here's
when
it
was
created.
I
know
you
might
have
had
some
concerns
about.
What's
in
that,
you
can
now
see
it
because
kway
also
has
claire
scanning,
so
you
can
see.
That's
awesome.
C
B
Right
so
I
think
so
so
one
getting
quay
is
pretty
simple
inside
of
openshift.
I
think
it'll
show
up
inside
of
my
cluster
here
right.
There
is
an
operator
for
for
clay,
so
I'm
not
going
to
deploy
it
into
azure.
I
think
you
have
an
environment.
A
D
B
I
say
that
and
the
reason
you
know
what
some
people
might
be
thinking
well,
why?
Why
is
andy
on
the
show
to
talk
about?
Let's
talk
about
registries,
andy
was
actually
the
creator,
the
originator
of
the
clay
operator
that
we
see
inside
of
here.
So
if
anybody
is
an
expert
on
this,
we
we
have.
We
have
that
guy.
C
A
Yes,
as
we
heard
earlier
on.
A
There's
a
new
version
of
huey
coming
out
this
week
and
it'll
help
number
one.
It
should
help
a
lot
of
people
installing
quay
just
on
rel8
kind
of
as
a
standalone
instance,
and
then
yes,
it
is
updating
its
operator.
There's
also
a
bunch
of
other
fun
features,
but
I
won't
spoil
the
surprises
so.
A
C
C
C
So
we
use
so
we
use
the
mutating
web
hook
configuration
to
rewrite
the
build
spec.
So
no,
so
we
basically
point
it
to
clay,
and
it
also
automatically
sets
up
robot
accounts,
which
are
your
service
accounts
within
quay
a
little
bit
of
magic.
There.
Oh.
B
That's
fancy
all
right.
So
do
you
mind
if
I,
if
I
toss
you
under
the
bus
so
to
speak,
yeah.
A
B
An
office
yes,
so
yeah,
that's
that's
fancy
you're!
Now
the
second
person
this
week,
I've
talked
to
that's
been
in
an
office.
So
so
do
you
mind,
do
you
have?
Can
we
can
we
see
the
clay
operator?
What
deploying
that
looks
like.
C
C
No,
it
comes
down
to.
Let
me
know
when
you
can
see
my
screen
yeah.
We
can
see
it
awesome.
The
big
one
was
andrew.
You
mentioned
earlier.
When
you
make
some
modifications,
it
does
roll
the
cluster
right
and
I
didn't
want
to
have
any
downtime,
so
I
might
as
well,
instead
of
having
to
you,
know,
wait
a
few
minutes,
yeah
paint
drying
or
we
can
go
ahead
and
spin
this
up.
So
we
have
a
nice
open
shift,
4.6
cluster.
C
I
had
a
custom
ssl
certificate
as
well,
because
I
wanted
to
by
defining
that
I
can
then
go
into
openshift
and
have
openshift
itself
trust
it,
because
clay
has
its
own
certificates,
so
we
needed
to
go
in
and
configure
openshift
to
trust
that
certificate.
So
any
images
that
were
pushed
or
pulled
would
be
able
to
trust
the
quay
registry
and
I'll
show
you
how
I
did
that
as
well.
C
Everything
else
is
fairly
vanilla.
Everything
the
router,
the
operator
itself
goes
in
and
configures
a
lot
of
these
fields
automatically,
but
it's
basically
go
in
set
a
couple
fields
and
you
have
clay
running
and
coming
up
with
a
new
version.
You
can
also
get
a
small
instance
of
openshift
container
storage
with
it
too.
So
if
you
have
a
koi
enterprise
subscription,
you
then
get
a
very
small
instance
of
ocs
to
allow
you
to
hook
up
object,
storage
wow,
which
is
really
cool.
C
A
C
C
You
know
typical
self
sign
because
I
was
doing
some
testing.
If
you
have
one
that's
corporately
signed
by
your
organization
or
you
have
one
from
a
trusted
certificate
authority
godaddy,
you
name
it.
You
can
then
hook
it
up
very
easily
and
then
we
need
to
go
ahead
and
tell
openshift
how
to
trust
it.
And
to
do
so,
you
need
to
configure
a
config
map
inside
the
openshift
dash
config
project.
C
B
To
interrupt
you
there
that
open
shift
this
config
map
in
openshift
config
applies
not
just
to
the
registry.
This
is
kind
of
like
the
global
certificates
to
a
trust
for
anything.
Openshift
is
doing
so.
If
you
have
the
your
internal
ca,
you
know
for
all
of
your
internal
sites
and
all
that
other
stuff.
That
would
be
where
you
can
figure
that
as
well.
C
And
exactly,
and
you
then
tell
openshift
you
create
that
config
map,
then
you
tell
openshift
hey
use
that
as
my
global
reference
and
you
do
that
inside
this
proxy
object.
We
just
set
this
trusted
ca
field
to
be
whatever
the
name
of
the
config
map
that
you
create
inside
the
openshift
config
project,
and
it
then
goes
allows
us
to
go
ahead
and
pull
and
push
from
play.
C
Now.
The
next
thing
in
many
of
my
organizations
are,
we
only
want
to
deploy
images
from
certain
registries,
whether
they
be
equida,
io,
let's
say
they're
coming.
You
know
we
want
to
get
the
images
for
openshift.
We
also
then
want
to
be
able
to
get
images,
maybe
from
just
clay
right.
No,
nothing
else,
because
I
have
many
of
my
developers
go
in
and
say:
okay,
how
do
I
deploy
on
kubernetes
one
on
one?
Okay,
let's
go
to
the
kubernetes
documentation
or
the
openshift
documentation?
C
A
C
We'll
go
in
and
we
will
just
create
a
brand
new
project,
so
we'll
go
over
here
to
the
developer.
Console
because
I
love
the
developer,
console
developer
tools.
Team
does
an
amazing
job.
Yes,
they
do
so
we'll
just
do
my
app
create
that
and
we'll
just
go
ahead
and
import
from
yaml
go
ahead
and
create
this.
It
basically
wants
to
create
three
replicas
of
nginx
click
on
create
watch
the
pods
come
up
and
give
it
a
second,
oh,
oh,
I
am
failing
to
pull.
Why
am
I
failing
to
fall?
C
C
It
basically
says
rejected
by
policy,
because
we
only
have
certain
registries
enabled
by
default.
Doctor.Io
is
rejected,
and
that
goes
back
to
what
andrew
mentioned
earlier.
The
image
configuration
options
that
we
set
we'll
pop
back
over
to
the
administrator
page
or
perspective.
Pardon
me
go
over
to
the
explore
tab,
click
on
config
and
then
go
find
it
down
here
image
right
now.
I
don't
think
we
need.
Let's
see.
A
C
B
Yeah,
so
that
was
that
documentation
page
the
the
second
documentation
page
that
I
linked
up
there.
The
image
configuration.
C
So
obviously
quota,
I
o
registry.red
hat
dot
registry.connect.redhat.com,
which
is
for
our
partner
connect
set
of
images
registry.assets.redhat.com,
which
is
our
older
image
registry,
with
some,
which
we
don't
recommend,
but
still
some
there
are
some
references
to
it.
So
if
you
want
to
keep
that
in
there
very
important,
is
you
want
to
trust
the
internal
registry
of
openshift,
which
is
this
internal
address?
And
then
this
last
one
is
basically
my
image
registry
that
we
saw
a
minute
ago.
Wait
that
way
enterprise.
C
C
C
C
B
And
to
be
clear,
there's
there's
sort
of
a
global
pulse
pull
secret,
which
is
the
one
that
is
provided
when
you
install
yeah,
but
each
project.
You
can
also
specify
specific
pull
secrets
so
like
I
could
provide
a
different
set
of
credentials
for
my
project
to
use
by
default
when
it's
doing
its
thing
or.
A
A
B
A
question
for
you
andy:
do
you
often
see
people
replace
that
default
global
pull
secret
for
any
reason.
C
Replacing
so
you
can't
replace
it,
you
do
not
want
to
replace
it.
You
will
break
your
cluster
horribly.
You
know
why.
B
C
Dependent
upon
it,
yeah
all
your
releases,
information
io,
all
this
stuff
call
it.openshift.com.
That
needs
to
be
here.
You
cannot
and
you
just
don't
break.
I
mean
I
actually
ended
up
overwriting
this
last
night
by
default
by
accident,
and
I
went
ahead
and
started
seeing
failures
to
pull
them
like
what
did
I
do?
What
did
I
do?
Oh
that's
what
I
did.
B
Is
it
possible
to
have
sort
of
a
a
group
account
if
you
will
or
like
you
know,
is?
Is
it
possible
for
me
to
delegate
that
so
that
if
I
have
a
team
of
administrators
that
I
can
utilize
that
manner
and
or
is
it
always
tied
to
an
individual
and
then
the
follow
on
to
that
is
what
happens
if
you
know
andrew
used
his
pull
secret
to
to
deploy
the
cluster
and
now
andrew
left,
the
company
yeah.
C
So
you
you
can
go
in
and
replace
it.
There
are
a
few
steps
that
you
need
to
take
to
replace
all
of
the
references.
This
does
this.
This
credentials
do
get
replicated
in
a
couple
different
projects,
the
big
one
that
I
I
know
offhand
is
the
openshift
project,
because
that
contains
all
the
samples.
So
all
the
templates
and
image
streams
get
put
into
that
project.
So
if
we
look
into
the
openshift
itself,
project
openshift
proper
project
you'll
see
there
should
be
one
for
samples.
C
B
And
there
is
a
way
also.
I
have
to
dig
up
the
link
from
way
in
the
bowels
of
my
email,
if
you
and-
and
how
did
I
discover
this
chris
because
well,
some
of
us
have
accidentally
shared
our
our
pull
secrets
on
this.
Yes,.
B
A
C
I
was
going
to
go
walk
through
the
you
know
how
to
set
your
authentication
credentials
and
I'm
like
wait
a
second.
I
don't
want
to
show
the
world
all
the
credentials,
so
I
went
ahead
and
just
modified
it
here
locally,
just
because
I
didn't
trust
myself,
because
just
that
exact
situation
so.
B
Yes,
if
that
is
something
interesting
to
you,
just
let
us
know
and
I'll
I'll
dig
up
that
link
and
I'll
share
it.
I'll
also
put
it
in
the
show
notes,
blog
post
that
we
have
so
if,
if
you
need
to
go
in-
and
you
know,
I
accidentally
shared
my
credentials
once
and
and
now
I
need
to
reset
those.
That's
there's
a
way
to
do
that.
C
I'm
kind
of
in
just
circling
back
to
the
security
side
of
things.
You
know
we
mentioned
the
machine
config
operator
goes
in
and
makes
changes
to
the
cluster.
How
does
it
make
changes?
We
just
saw
a
minute
ago
that
the
image
policy
did
not
allow
images
from
certain
registries
like
docker.io.
What
actually
happens?
That's
what
you
want
to
get
is:
okay,
openshift's
magic.
We
know
that,
but
there's
got
to
be
some
we're
going
to
go
ahead
and
uncover
some
of
the
secrets
from
openshift.
So
let's
show
how
that
occurs.
C
So,
let's
I'm
on
my
cluster
right
now,
I
can
do
oc
get
nodes.
I
can
go
in
and
see
what
changes
got
made.
So
I'm
going
to
pick
some
random
nodes
pick
some
one
of
my
workflow
nodes
and
if
you
ever
wanted
to
get
on
the
node
itself,
you
can
use
the
ocd
oc,
debug
node
command,
and
that
gives
you
access
to
the
node.
C
Itself
it
a
second
it
basically
spins
up
a
pod
starts
a
session
inside
that
pod
and
it
uses
a
host
mount
which
gives
you
access
to
it.
So
I'm
going
to
be
I'm
going
to
be
lazy
and
just
follow
the
steps.
You
know
change
your
route
to
the
host
path,
and
now
we
have
basically
access
to
the
host
itself
and
if
we
do
cat
etsy
containers,
policy.json
and
that's
very
hard
to
read,
isn't
it.
C
Yeah,
so
I
can
just
do
jq
dash
r
and
get
a
nice
fancy
fancy
fancy
there.
You
go
all
right,
that's
fun!
So
if
you
look
at
the
top,
the
default
policy
is
reject
everything
and
then
go
ahead
and
yes
always
step
one
reject
everything.
So,
especially
if
you're
doing
image
signing
same
exact
situation,
reject
the
image
see
that
you
actually
go
in,
and
this
is
the
file
you
actually
modify.
For
that
too.
C
You
get
to
reject
everything
and
then
go
in
and
only
allow
certain
fields
and
one
of
the
benefits
of
openshift
and
operators
is
that
I
didn't
have
to
worry
about
having
to
figure
out
this
whole
configuration
file.
I
just
specified.
I
want
these
image
registries
to
be
allowed,
it
does
the
rest
and
it
says
basically
use
the
atomic
or
the
docker
transport
mechanism
transport
and
then
basically
say
I
I
don't
care
what
type
of
content
it
is.
I'm
gonna
allow
everything
and
then
it's
it's.
This
is
for
the
image
the
internal
registry
equator.
C
B
Yeah,
it's
it's
funny
to
me
the
more
familiar
I
get
with
openshift,
the
more
I
realize
you
know.
We've
created
this
whole
system
in
openshift
of
things
that
basically
are
an
administrator.
So
before
it's
very
much
your
point,
it's
I
gotta
go
to
each
host.
I
have
to
update
this
file
and
then
I
either
have
to
reboot
the
host
or
restart
these
services
and
do
all
these
other
things
or
using
an
operator.
It's.
B
I
update
the
configuration
once
and
then
the
operator
does
all
of
those
other
steps
for
me
in
some
ways
really
convenient
right
in
some
ways
it
can
be
frustrating
if
you're
used
to
the
old
way.
You
know
I
I
want
to
be
hands
on.
I
want
to
be
able
to
go
in
and
touch
and
manipulate
and
change
all
of
these
things,
and
I
we
have
at
least
on
on
my
side.
I
don't
know
about
you
know
for
you
out
in
the
field
andy.
You
know
we
have
conversations
fairly
regularly
about.
B
You
know
the
advantages
of
the
operator
paradigm,
particularly
at
scale
you
know
and
having
this
known
configuration
and
it
being
done.
You
know
it
done.
If
you
will,
in
the
way
that
red
hat
has
has
created
from
a
support
perspective
right,
so
we
know
how
to
help
you
when
things
go
wrong
and
all
that,
so
it
it
can
be
intimidating
when
you're
first
learning
openshift.
I
will
fully
admit
that.
C
So
I've
been
working
with
openshift
for
since
the
beginning,
basically
at
least
definitely
in
the
beginning,
since
the
kubernetes
world,
and
also
back
into
the
version
one
and
version
two,
and
it's
a
it's
a
little
bit
of
a
little
bit
of
a
shift
when
it
comes
to
three
versus
four.
A
lot
of
my
customers
move
from
three
to
four
three
to
four
they're
like
we
have
a
lot
of
ansible
work.
We
love
ansible
to
depth
because
all
this
had
to
be
done
via
ansible
previously.
C
C
Ansible
I
use
as
especially,
if
you're
using
upi
you're
still
going
to
be
using
ansible
because
there's
a
lot
of
manuals
manual-ish,
but
you
obviously
using
ansible
to
automate
that.
But
what
I
use
ansible
is
is
you're.
Basically,
your
kickstarter,
you
use
ansible
to
help
configure
any
of
the
installed
configs
setting
up
vpcs
if
you're,
using
ipi,
setting
up
your
environment
and
then
basically
just
letting
the
flame
to
the
fire,
which
is
basically
going
in
and
starting
the
cluster
and
preparing
it,
so
it
chris.
You
know
this
is
better
than
I
do.
C
D
C
B
That's
one
big
change
that
I
think
a
lot
of
people
don't
realize
is
with
openshift
four.
The
installer
is
only
responsible
for
getting
the
cluster
up
and
running,
not
for
all
the
stuff
inside
the
cluster.
So
it's
it's
this
bare
minimum.
What
do
I
need
to
consider
the
cluster
running
and
then
day?
Two
is
where
all
of
those
other
things
come
in,
whereas
openshift
three.
B
We
had
that
massive,
how
many
it
was
over
a
thousand
different
variables
in
the
the
the
yaml
file
for
ansible,
and
so
all
of
that
stuff
has
been
pulled
out,
and
it's
just
that
bare
minimum
in
the
install.
B
All
right,
so
we've
only
got
a
couple
of
minutes
left
so
andy
anything
you
want
to
close
with.
C
No,
I
guess
the
last
thing
I'll
leave
everyone
with
is
that
registries
are
awesome.
Yes,
they
suck
because
they
are
dependency.
They
are,
in
many
cases
an
external
third-party
dependency
you're,
either
leveraging
or
waiting
on
quit.
Io
docker
hub,
you
name
it
have
that
in
mind
when
you
prepare
and
plan
for
it
assume
that
it
will
never
be
available.
C
C
I
I
definitely
love
to
have
a
follow-up.
I
think
a
good
follow-up
would
be
everything
we
need
to
do
to
manage
images
in
a
disconnected
space.
How
do
we
get
images
into
the
disconnected
space?
How
do
we
configure
openshift
to
use
those
images
instead
of
going
in
and
talking
to
the
public
registry,
and
then
how
do
we
make
changes
and
and
maintain
them
over
time?.
B
C
Give
and
take
if
you
go
down
that
path,
you
then
have
to
maintain
over
time.
We
push
images
and
updates
all
the
time,
which
means
you,
then
have
to
continuously
mirror
those
images
locally
yeah.
That
itself
is
a
killer
for
me
a
lot
of
times.
What
I
recommend
is
you
set
up
an
image
of
cash
so
like
a
pull
through
cache,
so
so
you
can
cast
them
locally.
C
Openshift,
basically,
references
that
image
that
image
repository
and
street
pardon
me
and
then
you,
then
we
somewhat
remove
the
decrepit
dependency
on
the
external
source,
but
you're
still
using
the
external
source
and
not
having
to
maintain
it
yourself.
But
that's
yet
another
conversation
that
we
can
certainly
have
in
the
future.
A
C
A
C
C
B
Yeah
awesome
man
in
the
middle,
that's
manipulating
those
all
right,
so
we
are
at
the
top
of
the
hour.
I
do
want
to
thank
you
very
specially,
mr
block.
Thank
you
for
joining
today
appreciate
all
of
your
knowledge
and
all
of
the
effort
that
you
put
in
here.
It's
always
great.
D
B
A
B
I
I
learned
something
new
from
you
and
by
something
I
mean
about
three
dozen
things.
Every
time
we
talk
yeah,
so
thank
you
very
much
for
coming
on.
The
show
really
do
appreciate
it.
So
for
our
audience,
please
don't
hesitate
to
reach
out
even
after
the
show
ends
with
with
questions
you
can
reach
me,
andrew.sullivan,
redhat.com
or
practicalandrew
on
twitter
you're,
more
than
welcome
to
reach
out
with
questions
right
happy
to
answer
those
if
I
can
or
bring
in
mr
block
as
needed
chris,
if
you're.
A
C
A
lot,
as
always
for
the
opportunity
to
come
on.
If
you
want
to
hear
you
need
to
reach
out
to
me
a
block
at
redhat.com
on
twitter
at
saver
s-a-b-r-e-1041.
B
Everybody
have
a
have
a
great
rest
of
your
day.