Azure Red Hat OpenShift: Disable community operators in Operators Hub
In this post, we will see how we can disable community operators so that you only bring services from trusted catalog sources.
OpenShift OperatorHub is the marketplace that allows third-party vendors/communities, including Red Hat themselves to offer features/new services to OpenShift consumers.
Operators are essentially Kubernetes objects which are packaged and ready to be consumed. Operators are deeply integrated into the OpenShift Container Platform (OCP). In fact, some of the key services are installed as Operators when you first provision the OpenShift.
For more info on Operator Hub refer to the RedHat documentation.
Default Operator Catalogue
OperatorHub has various operator sources/categories. As you can see from the table below, some of the operators directly come from Red Hat. There are operators from other ISVs who closely work with Red Hat and are certified by Red Hat to be safe and compliant.
You would be able to filter out operators from specific catalog sources in the web console.
Allowing only Red Hat and Certified Operators
While there are many great community operators in Operator Hub which are good to test in DEV environments, oftentimes in air-gapped enterprise environments, it is the requirement that only Red Hat or Certified Operators are allowed for security reasons.
By restricting operators only from trusted sources, we can ensure only operators by trusted ISVs or Red Hat are installed on production clusters.
To do this, we should edit the OperatorHub configuration file. First, using the OpenShift CLI, run the below command
oc edit operatorhub cluster -o yaml
You will then open the manifest for the OperatorHub and you will need to set the value to
true for the catalogue source, you do not want to enable. In this instance, we have set
true only to
community-operators as we do not want anyone to install any community operators.
Save the file and exit the editor. Give it a few minutes and go back to Operator Hub.
You should see no community operators are available for you to install now, and also there should not be a filter available for searching for community operators.
I went ahead and disabled Red Hat Marketplace as a source too since my customer did not have the intention to get anything from the Marketplace. If you prefer the command line, you can also check the enabled operator sources using the below command.
oc get catsrc -n openshift-marketplace
You should see output something like the below showing only enabled catalogue sources.
That is it... Hope you found the post useful!