change to allowedRegisties only with default of ghct.io

Author: atd9876

cmd/main.go

@@ -81,7 +81,6 @@ func main() {
 	var imageServerURL string
 	var architecture string
 	var allowedRegistries string
-	var blockedRegistries string
 
 	flag.StringVar(&architecture, "architecture", "amd64", "Target system architecture (e.g., amd64, arm64)")
 	flag.IntVar(&ipxeServicePort, "ipxe-service-port", 5000, "IPXE Service port to listen on.")
@@ -101,8 +100,7 @@ func main() {
 	flag.BoolVar(&secureMetrics, "metrics-secure", true, "If set the metrics endpoint is served securely")
 	flag.BoolVar(&enableHTTP2, "enable-http2", false,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
-	flag.StringVar(&allowedRegistries, "allowed-registries", "", "Comma-separated list of allowed OCI registries. If set, only these registries are permitted.")
-	flag.StringVar(&blockedRegistries, "blocked-registries", "", "Comma-separated list of blocked OCI registries. If set, these registries are denied.")
+	flag.StringVar(&allowedRegistries, "allowed-registries", "", "Comma-separated list of allowed OCI registries. Defaults to ghcr.io if not set.")
 
 	controllers := switches.New(
 		// core controllers
@@ -233,8 +231,12 @@ func main() {
 	}
 
 	// Initialize registry validator for OCI image validation
-	registryValidator := registry.NewValidator(allowedRegistries, blockedRegistries)
-	setupLog.Info("Initialized registry validator", "allowedRegistries", allowedRegistries, "blockedRegistries", blockedRegistries)
+	registryValidator := registry.NewValidator(allowedRegistries)
+	if allowedRegistries == "" {
+		setupLog.Info("Initialized registry validator with default", "defaultAllowedRegistry", "ghcr.io")
+	} else {
+		setupLog.Info("Initialized registry validator", "allowedRegistries", allowedRegistries)
+	}
 
 	if controllers.Enabled(ipxeBootConfigController) {
 		if err = (&controller.IPXEBootConfigReconciler{

docs/README.md

@@ -31,10 +31,10 @@ Boot Operator includes the following key components:
     - Handles `/image` requests
     - Extracts layers from OCI (Open Container Initiative) images, with support for multiple registries (e.g., GHCR, Docker Hub, Keppel, and any OCI-compliant registry)
     - Downloads specific layers based on the requested URI and image specifications
-    - Registry access is controlled via CLI flags:
+    - Registry access is controlled via CLI flag:
       - `--allowed-registries`: comma-separated list of permitted registries (allowlist mode)
-      - `--blocked-registries`: comma-separated list of denied registries (blocklist mode)
-      - If neither flag is set, all registries are denied (fail-closed)
+      - If not set, defaults to allowing only `ghcr.io` (zero-config default)
+      - When set, the specified registries completely replace the default (ghcr.io must be explicitly included if needed)
     - Example:
       - `wget http://SERVER_ADDRESS:30007/image?imageName=ghcr.io/ironcore-dev/os-images/gardenlinux&version=1443.10&layerName=application/vnd.ironcore.image.squashfs.v1alpha1.squashfs`
 
@@ -48,17 +48,18 @@ These servers leverage Kubernetes controllers and API objects to manage the boot
 
 Boot Operator enforces OCI registry restrictions at two levels:
 
-1. **Controller level (early validation):** The PXE and HTTP boot controllers validate image references against the registry allow/block list during reconciliation. This means misconfigured or disallowed registries are rejected immediately when a `ServerBootConfiguration` is created, providing fast feedback before any machine attempts to boot.
+1. **Controller level (early validation):** The PXE and HTTP boot controllers validate image references against the registry allow list during reconciliation. This means misconfigured or disallowed registries are rejected immediately when a `ServerBootConfiguration` is created, providing fast feedback before any machine attempts to boot.
 
 2. **Image Proxy Server level (runtime enforcement):** The image proxy server also validates registry domains before proxying layer downloads, acting as a second line of defense.
 
-Registry restrictions are configured via CLI flags on the manager binary:
+Registry restrictions are configured via CLI flag on the manager binary:
 
 | Flag | Description |
 |------|-------------|
-| `--allowed-registries` | Comma-separated list of permitted registries (allowlist mode). Only these registries are accepted. |
-| `--blocked-registries` | Comma-separated list of denied registries (blocklist mode). All registries except these are accepted. |
+| `--allowed-registries` | Comma-separated list of permitted registries (allowlist mode). When not set, defaults to `ghcr.io`. |
 
-- If `--allowed-registries` is set, it takes precedence over `--blocked-registries`.
-- If neither flag is set, all registries are **denied** (fail-closed).
+**Behavior:**
+- **Default (no flag set):** Only `ghcr.io` is allowed, enabling zero-config operation with a secure default.
+- **Custom allow list:** When `--allowed-registries` is specified, it completely replaces the default. If you want to allow `ghcr.io` along with other registries, you must explicitly include it in the list (e.g., `--allowed-registries=ghcr.io,myregistry.example.com`).
+- **Case-insensitive matching:** All registry domain comparisons are case-insensitive.
 - Docker Hub variants (`docker.io`, `index.docker.io`, `registry-1.docker.io`) are normalized for consistent matching.

internal/controller/suite_test.go

@@ -148,7 +148,7 @@ func SetupTest() *corev1.Namespace {
 		})
 		Expect(err).ToNot(HaveOccurred())
 
-		registryValidator := registry.NewValidator(allowedRegistries, "")
+		registryValidator := registry.NewValidator(allowedRegistries)
 
 		Expect((&ServerBootConfigurationPXEReconciler{
 			Client:            k8sManager.GetClient(),

internal/registry/validation.go

@@ -15,20 +15,22 @@ const (
 	DefaultRegistry = "registry-1.docker.io"
 	// DockerHubDomain is the canonical short domain for Docker Hub
 	DockerHubDomain = "docker.io"
+	// DefaultAllowedRegistry is the default registry when no allow list is configured
+	DefaultAllowedRegistry = "ghcr.io"
 )
 
-// Validator provides registry validation with configurable allow/block lists.
+// Validator provides registry validation with configurable allow list.
+// When no allow list is configured, it defaults to only allowing ghcr.io.
 type Validator struct {
 	AllowedRegistries string
-	BlockedRegistries string
 }
 
-// NewValidator creates a new Validator with the given allowed and blocked registry lists.
-// Each list is a comma-separated string of registry domains.
-func NewValidator(allowedRegistries, blockedRegistries string) *Validator {
+// NewValidator creates a new Validator with the given allowed registry list.
+// The list is a comma-separated string of registry domains.
+// If the list is empty, it defaults to allowing only ghcr.io.
+func NewValidator(allowedRegistries string) *Validator {
 	return &Validator{
 		AllowedRegistries: allowedRegistries,
-		BlockedRegistries: blockedRegistries,
 	}
 }
 
@@ -80,29 +82,26 @@ func isInList(registry string, list string) bool {
 	return false
 }
 
-// IsRegistryAllowed checks if a registry is allowed based on the allow/block lists.
+// IsRegistryAllowed checks if a registry is allowed based on the allow list.
+// If no allow list is configured, it defaults to allowing only ghcr.io.
 func (v *Validator) IsRegistryAllowed(registry string) bool {
 	if v.AllowedRegistries != "" {
 		return isInList(registry, v.AllowedRegistries)
 	}
 
-	if v.BlockedRegistries != "" {
-		return !isInList(registry, v.BlockedRegistries)
-	}
-
-	return false
+	// Default to allowing only ghcr.io when no allow list is configured
+	return isInList(registry, DefaultAllowedRegistry)
 }
 
 // ValidateImageRegistry validates that an image reference uses an allowed registry.
+// If no allow list is configured, only ghcr.io is permitted by default.
 func (v *Validator) ValidateImageRegistry(imageRef string) error {
 	registry := ExtractRegistryDomain(imageRef)
 	if !v.IsRegistryAllowed(registry) {
 		if v.AllowedRegistries != "" {
 			return fmt.Errorf("registry not allowed: %s (allowed registries: %s)", registry, v.AllowedRegistries)
-		} else if v.BlockedRegistries != "" {
-			return fmt.Errorf("registry blocked: %s (blocked registries: %s)", registry, v.BlockedRegistries)
 		}
-		return fmt.Errorf("registry not allowed: %s (no --allowed-registries or --blocked-registries configured, denying all)", registry)
+		return fmt.Errorf("registry not allowed: %s (default allowed registry: %s)", registry, DefaultAllowedRegistry)
 	}
 	return nil
 }