unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
[[registry]]
location="localhost:5000"
insecure=true
[[registry]]
location="registry.hub.docker.com"
blocked=true
> podman pull redhat/ubi8
✔ docker.io/redhat/ubi8:latest
Trying to pull docker.io/redhat/ubi8:latest...
Error: initializing source docker://redhat/ubi8:latest: registry docker.io is blocked in /etc/containers/registries.conf or /root/.config/containers/registries.conf.d
[[registry]]]
location="registry.example.org"
prefix="registry.example.org/example"
blocked=true
prefix="registry.example.org/namespace/image"
This is how to actually secure things, but it appears to be a won't fix Registry White Lists in registries.conf · Issue #548 · containers/image · GitHub
Use Podman image trust and policy.json
Let's assume that we are running our workload in an air-gapped environment. All our servers are disconnected from the internet. There are many reasons for that. We may be running on the edge or running in a highly security-sensitive environment that forbids us from connecting to the internet. In this case, we cannot connect to the original registry but need to run a registry that mirrors the local network's contents.
A registry mirror is a registry that will be contacted before attempting to pull from the original one. It's a common use case and one of the oldest feature requests in the container ecosystem.
With this configuration, when pulling the Universal Base Image via podman pull ubi8, the image would be pulled from the mirror instead of Red Hat's container registry.
[[registry]]
location="registry.example.com"
[[registry.mirror]]
location="mirror-1.com"
[[registry.mirror]]
location="mirror-2.com"
[[registry.mirror]]
location="mirror-3.com"