All nodes within an OpenShift cluster (both control plane/master and compute/worker nodes) require the ability to pull images from a container registry. The kubelet service on each node is responsible for fetching the correct container images to run the pods scheduled on it. This includes pods for core OpenShift services on the control plane nodes and application workloads on the worker nodes.

Furthermore, cluster features like Source-to-Image (S2I) builds run in pods on worker nodes. These build pods compile source code, create a new container image, and then must push that image to the registry. Therefore, worker nodes must have the capability to push images. Option D is the most accurate as it encompasses the necessary pull and push capabilities for a fully functional cluster.

A. Only the master nodes ever require registry access.

This is incorrect. Worker nodes run application pods and must pull their corresponding images from the registry.

B. Only the bastion node should be able to reach the registry.

This is incorrect. A bastion node is typically used to populate a private registry in a restricted network, but the cluster nodes must pull images directly from that registry to function.

C. While the bastion node pushes to the private registry, only the worker nodes pull images.

This is incorrect. Control plane (master) nodes also run containerized components (e.g., etcd, API server) and must pull their respective images from the registry.

1. Red Hat OpenShift Container Platform 4.14 Documentation

"About the internal image registry": This document explains the role of the registry and its interaction with cluster nodes. It states

"The OpenShift Container Platform registry is a core component that stores and manages container images. [...] Each node in the cluster needs to be able to pull images from the registry to run containers." This supports the requirement for all nodes to have pull access.

Source: Red Hat OpenShift 4.14 Documentation

Architecture -> Key concepts -> Image registry -> About the internal image registry.

2. Red Hat OpenShift Container Platform 4.14 Documentation

"Build strategies": This section details how builds operate within OpenShift. For Source-to-Image (S2I) builds

it states

"S2I produces a new image that incorporates the application source and is ready to run. S2I pushes the resulting image to the specified container image registry." Since builds execute in pods scheduled on cluster nodes (typically workers)

this confirms the requirement for nodes to have push access.

Source: Red Hat OpenShift 4.14 Documentation

Builds -> Build strategies.

3. Red Hat OpenShift Container Platform 4.14 Documentation

"Installing in a restricted network": This guide clarifies the roles of different hosts. It describes how a bastion host is used to mirror images to a private registry

after which all cluster nodes are configured with an ImageContentSourcePolicy to pull images from that private registry during and after installation. This explicitly shows that all cluster nodes

not just the bastion

require access.

Source: Red Hat OpenShift 4.14 Documentation

Installing -> Installing in a restricted network -> Mirroring the OpenShift Container Platform image repository.