Setting up a private container registry for IBM Cloud Pak for Data
It is strongly recommended that you mirror software images from the IBM Entitled Registry to a private container registry for additional security and improved performance. If you don't have an existing private container registry, complete the appropriate steps to set up a private container registry on your environment.
- Installation phase
-
- Setting up a client workstation
- Setting up a cluster
- Collecting required information
- Preparing to run installs in a restricted network
- Preparing to run installs from a private container registry
- Preparing the cluster for Cloud Pak for Data
- Preparing to install an instance of Cloud Pak for Data
- Installing an instance of Cloud Pak for Data
- Setting up the Cloud Pak for Data control plane
- Installing solutions and services
- Who needs to complete this task?
-
Cluster administrator A cluster administrator must complete this task.
- When do you need to complete this task?
-
One-time setup If you don't have an existing private container registry and you plan to use one to store images, complete this task before you install IBM Cloud Pak for Data.
If you plan to pull images directly from the IBM Entitled Registry, review the information in About this task before you decide to skip this task.
Before you begin
- Cluster requirements
-
To use a private container registry, your cluster must support image content source policies (
ImageContentSourcePolicy
). - Registry requirements
-
Your private container registry must meet the following requirements:
- Support the Docker Image Manifest Version 2, Schema 2
- Allow path separators in image names
- Be in close proximity to your Red Hat® OpenShift® Container Platform cluster
- Be accessible from all of the nodes in the cluster, and all of the nodes must have permission to push to and pull from the private container registry
- Have an upload capacity of at least 50 GB
- Allow image sizes greater than 40 GB
Restriction: You cannot use the integrated OpenShift Container Platform registry. It does not support multi-architecture images and is not compliant with the Docker Image Manifest Version 2, Schema 2.
About this task
- When should you use a private container registry?
-
You must mirror the Cloud Pak for Data software images to your private container registry in the following situations:
- Your cluster is air-gapped (also called an offline or disconnected cluster).
- Your cluster uses an allowlist to permit direct access by specific sites, and the allowlist does not include the IBM Entitled Registry.
- Your cluster uses a blocklist to prevent direct access by specific sites, and the blocklist includes the IBM Entitled Registry.
Even if these situations do not apply to your environment, you should consider using a private container registry if you want to:- Run security scans against the software images before you install them on your cluster
- Ensure that you have the same images available for multiple deployments, such as development or test environments and production environments
- When can you use the IBM Entitled Registry?
-
The only situation in which you might consider pulling images directly from the IBM Entitled Registry is when your cluster is not air-gapped, your network is extremely reliable, and latency is not a concern. However, for predictable and reliable performance, you should mirror the images to a private container registry.
Procedure
To setup a private container registry: