openshift
diff --git a/‎_attributes/attributes-openshift-dedicated.adoc‎
Lines changed: 2 additions & 0 deletions b/‎_attributes/attributes-openshift-dedicated.adoc‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎modules/images-configuration-allowed.adoc‎
Lines changed: 22 additions & 30 deletions b/‎modules/images-configuration-allowed.adoc‎
Lines changed: 22 additions & 30 deletions
diff --git a/‎modules/images-configuration-blocked-payload.adoc‎
Lines changed: 14 additions & 7 deletions b/‎modules/images-configuration-blocked-payload.adoc‎
Lines changed: 14 additions & 7 deletions
diff --git a/‎modules/images-configuration-blocked.adoc‎
Lines changed: 17 additions & 20 deletions b/‎modules/images-configuration-blocked.adoc‎
Lines changed: 17 additions & 20 deletions
diff --git a/‎modules/images-configuration-cas.adoc‎
Lines changed: 9 additions & 5 deletions b/‎modules/images-configuration-cas.adoc‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎modules/images-configuration-file.adoc‎
Lines changed: 12 additions & 24 deletions b/‎modules/images-configuration-file.adoc‎
Lines changed: 12 additions & 24 deletions
@@ -7,6 +7,8 @@
 :OCP: OpenShift Container Platform
 :OCP-short: OpenShift
 :ocp-version: 4.19
+:op-system-base: RHEL
+:op-system-base-full: Red{nbsp}Hat Enterprise Linux (RHEL)
 :op-system-first: Red Hat Enterprise Linux CoreOS (RHCOS)
 :oc-first: pass:quotes[OpenShift CLI (`oc`)]
 :cluster-manager-first: Red Hat OpenShift Cluster Manager
 
@@ -1,24 +1,24 @@
 // Module included in the following assemblies:
 //
 // * openshift_images/image-configuration.adoc
-// * post_installation_configuration/preparing-for-users.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="images-configuration-allowed_{context}"]
-= Adding specific registries
+= Adding specific registries to an allowlist
 
-You can add a list of registries, and optionally an individual repository within a registry, that are permitted for image pull and push actions by editing the `image.config.openshift.io/cluster` custom resource (CR). {product-title} applies the changes to this CR to all nodes in the cluster.
+[role="_abstract"]
+You can add an allowlist of registries, or an individual repository, within a registry for image pull and push actions by editing the `image.config.openshift.io/cluster` custom resource (CR).
 
-When pulling or pushing images, the container runtime searches the registries listed under the `registrySources` parameter in the `image.config.openshift.io/cluster` CR. If you created a list of registries under the `allowedRegistries` parameter, the container runtime searches only those registries. Registries not in the list are blocked.
+{product-title} applies the changes to this CR to all nodes in the cluster.
 
-[WARNING]
-====
-When the `allowedRegistries` parameter is defined, all registries, including the `registry.redhat.io` and `quay.io` registries and the default {product-registry}, are blocked unless explicitly listed. If you use the parameter, to prevent pod failure, add the `registry.redhat.io` and `quay.io` registries and the `internalRegistryHostname` to the `allowedRegistries` list, as they are required by payload images within your environment. For disconnected clusters, mirror registries should also be added.
-====
+When pulling or pushing images, the container runtime searches the registries listed under the `registrySources` parameter in the `image.config.openshift.io/cluster` CR. If you created a list of registries under the `allowedRegistries` parameter, the container runtime searches only those registries. Registries not in your allowlist are blocked.
+//false positive vale example block
+
+include::snippets/allowed-registries-warning.adoc[leveloffset=+1]
 
 .Procedure
 
-* Edit the `image.config.openshift.io/cluster` custom resource:
+* Edit the `image.config.openshift.io/cluster` custom resource by running the following command:
 +
 [source,terminal]
 ----
@@ -41,8 +41,8 @@ metadata:
   selfLink: /apis/config.openshift.io/v1/images/cluster
   uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
 spec:
-  registrySources: <1>
-    allowedRegistries: <2>
+  registrySources:
+    allowedRegistries:
     - example.com
     - quay.io
     - registry.redhat.io
@@ -51,20 +51,9 @@ spec:
 status:
   internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
 ----
-<1> Contains configurations that determine how the container runtime should treat individual registries when accessing images for builds and pods. It does not contain configuration for the internal cluster registry.
-<2> Specify registries, and optionally a repository in that registry, to use for image pull and push actions. All other registries are blocked.
-+
-[NOTE]
-====
-Either the `allowedRegistries` parameter or the `blockedRegistries` parameter can be set, but not both.
-====
-+
-The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` resource for any changes to the registries. When the MCO detects a change, it triggers a rollout on nodes in machine config pool (MCP). The allowed registries list is used to update the image signature policy in the `/etc/containers/policy.json` file on each node. Changes to the `/etc/containers/policy.json` file do not require the node to drain.
 
 ifndef::openshift-rosa,openshift-dedicated[]
-.Verification
-
-* Enter the following command to obtain a list of your nodes:
+. After you make your configuration updates, list your nodes by running the following command:
 +
 [source,terminal]
 ----
@@ -79,12 +68,14 @@ NAME               STATUS   ROLES                  AGE   VERSION
 <node_name>        Ready    control-plane,master   37m   v1.27.8+4fab27b
 ----
 
-. Run the following command to enter debug mode on the node:
+. Enter debug mode on the node by running the following command:
 +
 [source,terminal]
 ----
 $ oc debug node/<node_name>
 ----
++
+Replace <node_name> with the name of your node.
 
 . When prompted, enter `chroot /host` into the terminal:
 +
@@ -93,18 +84,18 @@ $ oc debug node/<node_name>
 sh-4.4# chroot /host
 ----
 
-. Enter the following command to check that the registries have been added to the policy file:
+.Verification
+
+. Check that the registries are in the policy file by running the following command:
 +
 [source,terminal]
 ----
 sh-5.1# cat /etc/containers/policy.json | jq '.'
 ----
 +
-The following policy indicates that only images from the example.com, quay.io, and registry.redhat.io registries are permitted for image pulls and pushes:
+The following policy indicates that only images from the `example.com`, `quay.io`, and `registry.redhat.io` registries are accessible for image pulls and pushes:
 +
 .Example image signature policy file
-[%collapsible]
-====
 [source,text]
 ----
 {
@@ -188,9 +179,9 @@ The following policy indicates that only images from the example.com, quay.io, a
    }
 }
 ----
-====
 endif::openshift-rosa,openshift-dedicated[]
-
++
+--
 [NOTE]
 ====
 If your cluster uses the `registrySources.insecureRegistries` parameter, ensure that any insecure registries are included in the allowed list.
@@ -211,3 +202,4 @@ spec:
     - image-registry.openshift-image-registry.svc:5000
 ----
 ====
+--
@@ -3,13 +3,16 @@
 // * openshift_images/image-configuration.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="images-configuration-blocked-payload"]
-
+[id="images-configuration-blocked-payload_{context}"]
 = Blocking a payload registry
 
-In a mirroring configuration, you can block upstream payload registries in a disconnected environment using a `ImageContentSourcePolicy` (ICSP) object. The following example procedure demonstrates how to block the `quay.io/openshift-payload` payload registry.
+[role="_abstract"]
+In a mirroring configuration, you can block upstream payload registries in a disconnected environment by using a `ImageContentSourcePolicy` (ICSP) object.
+//oc mirror v2 does not support ICSP; this content needs an update or a note
+The following example procedure demonstrates how to block the `quay.io/openshift-payload` payload registry.
 
 .Procedure
+
 . Create the mirror configuration using an `ImageContentSourcePolicy` (ICSP) object to mirror the payload to a registry in your instance. The following example ICSP file mirrors the payload `internal-mirror.io/openshift-payload`:
 +
 [source,yaml]
@@ -24,7 +27,8 @@ spec:
     - internal-mirror.io/openshift-payload
     source: quay.io/openshift-payload
 ----
-. After the object deploys onto your nodes, verify that the mirror configuration is set by checking the `/etc/containers/registries.conf` file:
+
+. After the object deploys onto your nodes, verify that the mirror configuration is set by checking the `/etc/containers/registries.conf` custom resource (CR):
 +
 .Example output
 [source,terminal]
@@ -37,13 +41,15 @@ spec:
 [[registry.mirror]]
   location = "internal-mirror.io/openshift-payload"
 ----
-. Use the following command to edit the `image.config.openshift.io` custom resource file:
+
+. Use the following command to edit the `image.config.openshift.io` CR:
 +
 [source,terminal]
 ----
 $ oc edit image.config.openshift.io cluster
 ----
-. To block the payload registry, add the following configuration to the `image.config.openshift.io` custom resource file:
+
+. To block the payload registry, add the following configuration to the `image.config.openshift.io` CR:
 +
 [source,yaml]
 ----
@@ -54,9 +60,10 @@ spec:
 ----
 
 .Verification
+//can we run a command such as an oc debug or oc edit to look at this file?
 * Verify that the upstream payload registry is blocked by checking the `/etc/containers/registries.conf` file on the node.
 +
-.Example output
+.Example `/etc/containers/registries.conf` file
 [source,terminal]
 ----
 [[registry]]
 
@@ -1,24 +1,26 @@
 // Module included in the following assemblies:
 //
 // * openshift_images/image-configuration.adoc
-// * post_installation_configuration/preparing-for-users.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="images-configuration-blocked_{context}"]
 = Blocking specific registries
 
-You can block any registry, and optionally an individual repository within a registry, by editing the `image.config.openshift.io/cluster` custom resource (CR). {product-title} applies the changes to this CR to all nodes in the cluster.
+[role="_abstract"]
+You can block any registry, or an individual repository, within a registry by editing the `image.config.openshift.io/cluster` custom resource (CR).
+
+{product-title} applies the changes to this CR to all nodes in the cluster.
 
 When pulling or pushing images, the container runtime searches the registries listed under the `registrySources` parameter in the `image.config.openshift.io/cluster` CR. If you created a list of registries under the `blockedRegistries` parameter, the container runtime does not search those registries. All other registries are allowed.
 
 [WARNING]
 ====
-To prevent pod failure, do not add the `registry.redhat.io` and `quay.io` registries to the `blockedRegistries` list, as they are required by payload images within your environment.
+To prevent pod failure, do not add the `registry.redhat.io` and `quay.io` registries to the `blockedRegistries` list. Payload images within your environment require access to these registries.
 ====
-
+//how does this work for mirror registries?
 .Procedure
 
-* Edit the `image.config.openshift.io/cluster` custom resource:
+* Edit the `image.config.openshift.io/cluster` custom resource by running the following command:
 +
 [source,terminal]
 ----
@@ -41,27 +43,18 @@ metadata:
   selfLink: /apis/config.openshift.io/v1/images/cluster
   uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
 spec:
-  registrySources: <1>
-    blockedRegistries: <2>
+  registrySources:
+    blockedRegistries:
     - untrusted.com
     - reg1.io/myrepo/myapp:latest
 status:
   internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
 ----
-<1> Contains configurations that determine how the container runtime should treat individual registries when accessing images for builds and pods. It does not contain configuration for the internal cluster registry.
-<2> Specify registries, and optionally a repository in that registry, that should not be used for image pull and push actions. All other registries are allowed.
-+
-[NOTE]
-====
-Either the `blockedRegistries` registry or the `allowedRegistries` registry can be set, but not both.
-====
 +
-The Machine Config Operator (MCO) watches the `image.config.openshift.io/cluster` resource for any changes to the registries. When the MCO detects a change, it drains the nodes, applies the change, and uncordons the nodes. After the nodes return to the `Ready` state, changes to the blocked registries appear in the `/etc/containers/registries.conf` file on each node. During this period, you might experience service unavailability.
+You cannot set both the `blockedRegistries` and `allowedRegistries` parameters. You must select one or the other.
 
 ifndef::openshift-rosa,openshift-dedicated[]
-.Verification
-
-* Enter the following command to obtain a list of your nodes:
+. Get a list of your nodes by running the following command:
 +
 [source,terminal]
 ----
@@ -82,6 +75,8 @@ NAME                STATUS   ROLES                  AGE   VERSION
 ----
 $ oc debug node/<node_name>
 ----
++
+Replace <node_name> with the name of the node you want details about.
 
 . When prompted, enter `chroot /host` into the terminal:
 +
@@ -90,14 +85,16 @@ $ oc debug node/<node_name>
 sh-4.4# chroot /host
 ----
 
-. Enter the following command to check that the registries have been added to the policy file:
+.Verification
+
+. Verify that the registries are in the policy file by running the following command:
 +
 [source,terminal]
 ----
 sh-5.1# cat etc/containers/registries.conf
 ----
 +
-The following example indicates that images from the `untrusted.com` registry are prevented for image pulls and pushes:
+The following example indicates that images from the `untrusted.com` registry are blocked for image pulls and pushes:
 +
 .Example output
 [source,text]
 
@@ -8,16 +8,17 @@
 = Configuring additional trust stores for image registry access
 
 [role="_abstract"]
-You can update an `image.config.openshift.io/cluster` custom resource (CR) to include a reference to a config map that includes additional certificate authorities (CAs). You must ensure that these CAs are trusted during image registry access. The config map key is the hostname of a registry with the port for which this CA is to be trusted. The Privacy-Enhanced Mail (PEM) certificate content is the value, for each additional registry CA to trust.
+You can add references to a config map that has additional certificate authorities (CAs) to be trusted during image registry access to the `image.config.openshift.io/cluster` custom resource (CR).
 
 .Prerequisites
 
-* Ensure that a CA is PEM-encoded.
+* The certificate authorities (CAs) must be PEM-encoded.
 
 .Procedure
 
-. Create a config map in the `openshift-config` namespace. The following example configurations show defined image registry CA that exists in a config map:
+. Create a config map in the `openshift-config` namespace, then and use the config map name in the `AdditionalTrustedCA` parameter of the `image.config.openshift.io` CR. This adds CAs that should be trusted when the cluster contacts external image registries.
 +
+.Image registry CA config map example
 [source,yaml]
 ----
 apiVersion: v1
@@ -37,9 +38,12 @@ data:
 +
 where:
 +
-`registry-with-port.example.com..5000`:: If the registry has the port, `:` should be replaced with `..`.
+`data:registry.example.com:`:: An example hostname of a registry for which this CA is to be trusted.
+`data:registry-with-port.example.com..5000:`:: An example hostname of a registry with the port for which this CA is to be trusted. If the registry has a port, such as `registry-with-port.example.com:5000`, `:` must be replaced with `..`.
++
+The PEM certificate content is the value for each additional registry CA to trust.
 
-. Configure an additional CA. Ensure that you specify the name of the CA in the AdditionalTrustedCA` parameter of the `image.config.openshift.io` CR. You can then provide additional CAs that must be trusted when contacting external registries.
+. Optional. Configure an additional CA by running the following command:
 +
 [source,terminal]
 ----
 
@@ -6,21 +6,12 @@
 [id="images-configuration-file_{context}"]
 = Configuring image registry settings
 
+[role="_abstract"]
 You can configure image registry settings by editing the `image.config.openshift.io/cluster` custom resource (CR).
-When changes to the registry are applied to the `image.config.openshift.io/cluster` CR, the Machine Config Operator (MCO) performs the following sequential actions:
-
-. Cordons the node
-. Applies changes by restarting CRI-O
-. Uncordons the node
-+
-[NOTE]
-====
-The MCO does not restart nodes when it detects changes.
-====
 
 .Procedure
 
-. Edit the `image.config.openshift.io/cluster` custom resource:
+. Edit the `image.config.openshift.io/cluster` CR by running the following command:
 +
 [source,terminal]
 ----
@@ -32,7 +23,7 @@ The following is an example `image.config.openshift.io/cluster` CR:
 [source,yaml]
 ----
 apiVersion: config.openshift.io/v1
-kind: Image <1>
+kind: Image
 metadata:
   annotations:
     release.openshift.io/create-only: "true"
@@ -43,12 +34,12 @@ metadata:
   selfLink: /apis/config.openshift.io/v1/images/cluster
   uid: e34555da-78a9-11e9-b92b-06d6c7da38dc
 spec:
-  allowedRegistriesForImport: <2>
+  allowedRegistriesForImport:
     - domainName: quay.io
       insecure: false
-  additionalTrustedCA: <3>
+  additionalTrustedCA:
     name: myconfigmap
-  registrySources: <4>
+  registrySources:
     allowedRegistries:
     - example.com
     - quay.io
@@ -60,21 +51,18 @@ spec:
 status:
   internalRegistryHostname: image-registry.openshift-image-registry.svc:5000
 ----
-<1> `Image`: Holds cluster-wide information about how to handle images. The canonical, and only valid name is `cluster`.
-<2> `allowedRegistriesForImport`: Limits the container image registries from which normal users may import images. Set this list to the registries that you trust to contain valid images, and that you want applications to be able to import from. Users with permission to create images or `ImageStreamMappings` from the API are not affected by this policy. Typically only cluster administrators have the appropriate permissions.
-<3> `additionalTrustedCA`: A reference to a config map containing additional certificate authorities (CA) that are trusted during image stream import, pod image pull, `openshift-image-registry` pullthrough, and builds. The namespace for this config map is `openshift-config`. The format of the config map is to use the registry hostname as the key, and the PEM certificate as the value, for each additional registry CA to trust.
-<4> `registrySources`: Contains configuration that determines whether the container runtime allows or blocks individual registries when accessing images for builds and pods. Either the `allowedRegistries` parameter or the `blockedRegistries` parameter can be set, but not both. You can also define whether or not to allow access to insecure registries or registries that allow registries that use image short names. This example uses the `allowedRegistries` parameter, which defines the registries that are allowed to be used. The insecure registry `insecure.com` is also allowed. The `registrySources` parameter does not contain configuration for the internal cluster registry.
 +
 [NOTE]
 ====
-When the `allowedRegistries` parameter is defined, all registries, including the registry.redhat.io and quay.io registries and the default {product-registry}, are blocked unless explicitly listed. If you use the parameter, to prevent pod failure, you must add the `registry.redhat.io` and `quay.io` registries and the `internalRegistryHostname` to the `allowedRegistries` list, as they are required by payload images within your environment. Do not add the `registry.redhat.io` and `quay.io` registries to the `blockedRegistries` list.
-
-When using the `allowedRegistries`, `blockedRegistries`, or `insecureRegistries` parameter, you can specify an individual repository within a registry. For example: `reg1.io/myrepo/myapp:latest`.
+When you use the `allowedRegistries`, `blockedRegistries`, or `insecureRegistries` parameter, you can specify an individual repository within a registry. For example: `reg1.io/myrepo/myapp:latest`.
 
-Insecure external registries should be avoided to reduce possible security risks.
+Avoid insecure external registries to reduce possible security risks.
 ====
+//moved footnotes to reference table
+
+.Verification
 
-. To check that the changes are applied, list your nodes:
+. To verify your changes, list your nodes by running the following command:
 +
 [source,terminal]
 ----