Running your cluster in a restricted network without direct internet connectivity is possible by installing the cluster from a mirrored set of {product-title} container images in a private registry. This registry must be running at all times as long as the cluster is running. See the Prerequisites section for more information.
You can use the oc-mirror OpenShift CLI (oc) plugin to mirror images to a mirror registry in your fully or partially disconnected environments. You must run oc-mirror from a system with internet connectivity in order to download the required images from the official Red Hat registries.
The following steps outline the high-level workflow on how to use the oc-mirror plugin to mirror images to a mirror registry:
-
Create an image set configuration file.
-
Mirror the image set to the mirror registry by using one of the following methods:
-
Mirror an image set directly to the mirror registry.
-
Mirror an image set to disk, transfer the image set to the target environment, then upload the image set to the target mirror registry.
-
-
Configure your cluster to use the resources generated by the oc-mirror plugin.
-
Repeat these steps to update your mirror registry as necessary.
-
For information about viewing the CRI-O logs to view the image source, see Viewing the image pull source.
-
You must have a container image registry that supports Docker v2-2 in the location that will host the {product-title} cluster, such as Red Hat Quay.
NoteIf you use Red Hat Quay, you must use version 3.6 or later with the oc-mirror plugin. If you have an entitlement to Red Hat Quay, see the documentation on deploying Red Hat Quay for proof-of-concept purposes or by using the Quay Operator. If you need additional assistance selecting and installing a registry, contact your sales representative or Red Hat Support.
If you do not already have an existing solution for a container image registry, subscribers of {product-title} are provided a mirror registry for Red Hat OpenShift. The mirror registry for Red Hat OpenShift is included with your subscription and is a small-scale container registry that can be used to mirror the required container images of {product-title} in disconnected installations.
Before you can use the oc-mirror plugin to mirror images, you must install the plugin and create a container image registry credentials file to allow the mirroring from Red Hat to your mirror.
You can use the oc-mirror CLI plugin to mirror images to a mirror registry in a partially disconnected environment or in a fully disconnected environment.
These procedures assume that you already have your mirror registry set up.
In a partially disconnected environment, you can mirror an image set directly to the target mirror registry.
To mirror an image set in a fully disconnected environment, you must first mirror the image set to disk, then mirror the image set file on disk to a mirror.
After your target mirror registry is populated with the initial image set, be sure to update it regularly so that it has the latest content. You can optionally set up a cron job, if possible, so that the mirror registry is updated on a regular basis.
Ensure that you update your image set configuration to add or remove {product-title} and Operator releases as necessary. Any images that are removed are pruned from the mirror registry.