Add UnqualifiedSearchRegistries to the Image CR

modules/images-configuration-allowed.adoc

@@ -12,7 +12,7 @@ When pulling or pushing images, the container runtime searches the registries li
 
 [WARNING]
 ====
-When the `allowedRegistries` parameter is defined, all registries including the registry.redhat.io and quay.io registries are blocked unless explicitly listed. If you use the parameter, to prevent pod failure, add `registry.redhat.io` and `quay.io` to the `allowedRegistries` list, as they are required by payload images within your environment. For disconnected clusters, mirror registries should also be added.
+When the `allowedRegistries` parameter is defined, all registries including the `registry.redhat.io` and `quay.io` registries are blocked unless explicitly listed. If you use the parameter, to prevent pod failure, add `registry.redhat.io` and `quay.io` to the `allowedRegistries` list, as they are required by payload images within your environment. For disconnected clusters, mirror registries should also be added.
 ====
 
 .Procedure
@@ -56,7 +56,7 @@ status:
 Either the `allowedRegistries` parameter or the `blockedRegistries` parameter can be set, but not both.
 ====
 +
-The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` resource for any changes to the registries. When the MCO detects a change, it drains the nodes, applies the change, and uncordons the nodes. Changes to the allowed registries creates or updates the image signature policy in the `/host/etc/containers/policy.json` file on each node.
+The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` resource for any changes to the registries. When the MCO detects a change, it drains the nodes, applies the change, and uncordons the nodes. After the nodes return to the `Ready` state, the allowed registries list is used to update the image signature policy in the `/host/etc/containers/policy.json` file on each node.
 
 . To check that the registries have been added to the policy file, use the following command on a node:
 +

modules/images-configuration-blocked.adoc

@@ -49,7 +49,7 @@ status:
 Either the `blockedRegistries` registry or the `allowedRegistries` registry can be set, but not both.
 ====
 +
-The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` resource for any changes to the registries. When the MCO detects a change, it drains the nodes, applies the change, and uncordons the nodes. Changes to the blocked registries appear in the `/etc/containers/registries.conf` file on each node.
+The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` resource for any changes to the registries. When the MCO detects a change, it drains the nodes, applies the change, and uncordons the nodes. After the nodes return to the `Ready` state, changes to the blocked registries appear in the `/etc/containers/registries.conf` file on each node.
 
 . To check that the registries have been added to the policy file, use the following command on a node:
 +

modules/images-configuration-file.adoc

@@ -42,7 +42,7 @@ spec:
       insecure: false
   additionalTrustedCA: <3>
     name: myconfigmap
-  registrySources:<4>
+  registrySources: <4>
     allowedRegistries:
     - example.com
     - quay.io

modules/images-configuration-insecure.adoc

@@ -60,7 +60,7 @@ status:
 When the `allowedRegistries` parameter is defined, all registries including the registry.redhat.io and quay.io registries are blocked unless explicitly listed. If you use the parameter, to prevent pod failure, add `registry.redhat.io` and `quay.io` to the `allowedRegistries` list, as they are required by payload images within your environment. 
 ====
 +
-The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` CR for any changes to registries and reboots the nodes when it detects changes. Changes to the insecure and blocked registries appear in the `/etc/containers/registries.conf` file on each node.
+The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` CR for any changes to the registries, then drains and uncordons the nodes when it detects changes. After the nodes return to the `Ready` state, changes to the insecure and blocked registries appear in the `/etc/containers/registries.conf` file on each node.
 
 . To check that the registries have been added to the policy file, use the following command on a node:
 +
@@ -81,4 +81,3 @@ unqualified-search-registries = ["registry.access.redhat.com", "docker.io"]
   location = "insecure.com"
   insecure = true
 ----
-

modules/images-configuration-parameters.adoc

@@ -56,19 +56,22 @@ configuration for the internal cluster registry.
 `insecureRegistries`: Registries which do not have a valid TLS certificate or
 only support HTTP connections.
 
-`blockedRegistries`: Denylisted for image pull and push actions. All other
+`blockedRegistries`: Registries for which image pull and push actions are denied. All other
 registries are allowed.
 
-`allowedRegistries`: Allowlisted for image pull and push actions. All other
+`allowedRegistries`: Registries for which image pull and push actions are allowed. All other
 registries are blocked.
 
+`containerRuntimeSearchRegistries`: Registries for which image pull and push actions are allowed
+using image short names. All other registries are blocked.
+
 Either `blockedRegistries` or `allowedRegistries` can be set, but not both.
 
 |===
 
 [WARNING]
 ====
-When the `allowedRegistries` parameter is defined, all registries including `registry.redhat.io` and `quay.io` are blocked unless explicitly listed. If using the parameter, declare source registries `registry.redhat.io` and `quay.io` as required by payload images within your environment, to prevent pod failure. For disconnected clusters, mirror registries should also be added.
+When the `allowedRegistries` parameter is defined, all registries including `registry.redhat.io` and `quay.io` are blocked unless explicitly listed. When using the parameter,  to prevent pod failure, declare the `registry.redhat.io` and `quay.io` registries, as they are required by payload images within your environment. For disconnected clusters, mirror registries should also be added.
 ====
 
 The `status` field of the `image.config.openshift.io/cluster` resource holds

modules/images-configuration-shortname.adoc

@@ -0,0 +1,94 @@
+// Module included in the following assemblies:
+//
+// * openshift_images/image-configuration.adoc
+// * post_installation_configuration/preparing-for-users.adoc
+
+[id="images-configuration-shortname_{context}"]
+= Adding registries that allow image short names
+
+You can add registries to search for an image short name by editing the `image.config.openshift.io/cluster` custom resource (CR). {product-title} applies the changes to this CR to all nodes in the cluster.
+
+An image short name enables you to search for images without including the fully qualified domain name in the pull spec. For example, you could use `rhel7/etcd` instead of `registry.access.redhat.com/rhe7/etcd`. 
+
+You might use short names in situations where using the full path is not practical. For example, if your cluster references multiple internal registries whose DNS changes frequently, you would need to update the fully qualified domain names in your pull specs with each change. In this case, using an image short name might be beneficial.
+
+When pulling or pushing images, the container runtime searches the registries listed under the `registrySources` parameter in the `image.config.openshift.io/cluster` CR. If you created a list of registries under the `containerRuntimeSearchRegistries` parameter, when pulling an image with a short name, the container runtime searches those registries. 
+
+[WARNING]
+====
+Using image short names with public registries is strongly discouraged. You should use image short names with only internal or private registries.
+
+If you list public registries under the `containerRuntimeSearchRegistries` parameter, you expose your credentials to all the registries on the list and you risk network and registry attacks. You should always use fully-qualified image names with public registries.
+====
+
+The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` resource for any changes to the registries. When the MCO detects a change, it drains the nodes, applies the change, and uncordons the nodes. After the nodes return to the `Ready` state, if the `containerRuntimeSearchRegistries` parameter is added, the MCO creates a file in the `/etc/containers/registries.conf.d` directory on each node with the listed registries. The file overrides the default list of unqualified search registries in the `/host/etc/containers/registries.conf` file. There is no way to fall back to the default list of unqualified search registries.
+
+The `containerRuntimeSearchRegistries` parameter works only with the Podman and CRI-O container engines. The registries in the list can be used only in pod specs, not in builds and image streams.
+
+.Procedure
+
+. Edit the `image.config.openshift.io/cluster` custom resource:
++
+[source,terminal]
+----
+$ oc edit image.config.openshift.io/cluster
+----
++
+The following is an example `image.config.openshift.io/cluster` CR:
++
+[source,yaml]
+----
+apiVersion: config.openshift.io/v1
+kind: Image
+metadata:
+  annotations:
+    release.openshift.io/create-only: "true"
+  creationTimestamp: "2019-05-17T13:44:26Z"
+  generation: 1
+  name: cluster
+  resourceVersion: "8302"
+  selfLink: /apis/config.openshift.io/v1/images/cluster
+  uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
+spec:
+  allowedRegistriesForImport:
+    - domainName: quay.io
+      insecure: false
+  additionalTrustedCA:
+    name: myconfigmap
+  registrySources:
+    containerRuntimeSearchRegistries: <1>
+    - "reg1.io"
+    - "reg2.io"
+    - "reg3.io"
+    allowedRegistries: <2>
+    - example.com
+    - quay.io
+    - registry.redhat.io
+    - "reg1.io"
+    - "reg2.io"
+    - "reg3.io"
+...
+status:
+  internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
+----
+<1> Specify registries to use with image short names. You should use image short names with only internal or private registries to reduce possible security risks.
+<2> Ensure that any registries listed under `containerRuntimeSearchRegistries` are included in the `allowedRegistries` list.
++
+[NOTE]
+====
+When the `allowedRegistries` parameter is defined, all registries including the `registry.redhat.io` and `quay.io` registries are blocked unless explicitly listed. If you use this parameter, to prevent pod failure, add `registry.redhat.io` and `quay.io` to the `allowedRegistries` list, as they are required by payload images within your environment. 
+====
+
+. To check that the registries have been added, use the following command on a node:
++
+[source,terminal]
+----
+$ cat /host/etc/containers/registries.conf.d/01-image-searchRegistries.conf
+----
++
+.Example output
+[source,terminal]
+----
+unqualified-search-registries = ['reg1.io', 'reg2.io', 'reg3.io']
+----
+

openshift_images/image-configuration.adoc

@@ -16,6 +16,8 @@ include::modules/images-configuration-blocked.adoc[leveloffset=+2]
 
 include::modules/images-configuration-insecure.adoc[leveloffset=+2]
 
+include::modules/images-configuration-shortname.adoc[leveloffset=+2]
+
 include::modules/images-configuration-cas.adoc[leveloffset=+2]
 
 include::modules/images-configuration-registry-mirror.adoc[leveloffset=+2]

post_installation_configuration/preparing-for-users.adoc

@@ -128,6 +128,8 @@ include::modules/images-configuration-cas.adoc[leveloffset=+3]
 
 include::modules/images-configuration-insecure.adoc[leveloffset=+3]
 
+include::modules/images-configuration-shortname.adoc[leveloffset=+3]
+
 include::modules/images-configuration-registry-mirror.adoc[leveloffset=+3]
 
 include::modules/olm-installing-operators-from-operatorhub.adoc[leveloffset=+1]