Skip to content

Managing Trusted Registries in access profiles

Trusted registries let Kubernetes clusters pull container images from internal or private registries that use self-signed certificates. By configuring trusted registries in an Access Profile, users can allow their clusters to access these registries securely.

Overview

The Trusted Registries section appears when creating or editing an Access Profile. This section allows users to add or remove trusted container registries that clusters can use for image pulls. Changes to trusted registries apply only to clusters created after the Access Profile is updated. Existing clusters will continue to use the previous configuration unless repaired or redeployed.

Access Requirements

  • Only users with Manager or Partner roles can add and modify trusted registries.

Adding Trusted Registries

When creating or editing an Access Profile:

  • Go to the Trusted Registries section.
  • Add registry entries one at a time.
  • Each entry is validated automatically before it is added.

Entry Rules

  • Registry entries can include domain names or IP addresses.
  • A port can be included optionally (for example, :8443, :32000, or:9443).
  • Port numbers must be between 1 and 65535.
  • Do not include protocol prefixes such as http:// or https://.
  • A maximum of 100 registries can be defined per Access Profile.
  • Invalid entries are rejected with an error message indicating the problem.

Example Entries

secure.repo.net
10.25.34.8:5000
images.corpcloud.io:9443

When new registries are added, a warning message indicates that the Access Profile has changed, and clusters may require repair or update.

Removing Trusted Registries

The user can remove any registry from the Access Profile as needed. Removing a registry does not immediately affect existing clusters. To apply the changes, clusters must be repaired or updated.

Viewing and Verification

Users can review the list of trusted registries in the Access Profile details page.

To verify which registries are configured on a running cluster, check the following file on the controller node:

/etc/containerd/config.toml

Key Considerations

Trusted Registries vs. Allowed Hosts:

  • Allowed Hosts define which network endpoints can communicate with the Kubernetes API or services. Trusted Registries define which container registries clusters can use to pull images.

Adding Public Registries:

  • Users can include public registries, but they should understand the security implications. This feature is mainly designed for internal or self-hosted registries with self-signed certificates.

Existing Clusters:

  • Modifications to trusted registries do not automatically update existing clusters. Only new clusters created after the change will reflect the updated list.

Supported Versions

Trusted Registry configuration is available for Kubernetes clusters using version v1.32.5 and above.