diff --git a/go.mod b/go.mod
index 704fc5d3a..893a164da 100644
--- a/go.mod
+++ b/go.mod
@@ -56,7 +56,7 @@ require (
 require (
 	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
 	github.com/99designs/keyring v1.2.2 // indirect
-	github.com/alessio/shellescape v1.4.1 // indirect
+	github.com/alessio/shellescape v1.4.1
 	github.com/andybalholm/cascadia v1.3.2 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
diff --git a/pkg/clusterregistryconfig/flags.go b/pkg/clusterregistryconfig/flags.go
index 405257e22..773ab9973 100644
--- a/pkg/clusterregistryconfig/flags.go
+++ b/pkg/clusterregistryconfig/flags.go
@@ -5,6 +5,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/alessio/shellescape"
 	cmv1 "github.com/openshift-online/ocm-sdk-go/clustersmgmt/v1"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -263,37 +264,37 @@ func BuildRegistryConfigOptions(spec ocm.Spec) string {
 	if len(spec.AllowedRegistries) > 0 {
 		command += fmt.Sprintf(" --%s %s",
 			allowedRegistriesFlag,
-			strings.Join(spec.AllowedRegistries, ","))
+			shellescape.Quote(strings.Join(spec.AllowedRegistries, ",")))
 	}
 
 	if len(spec.BlockedRegistries) > 0 {
 		command += fmt.Sprintf(" --%s %s",
 			blockedRegistriesFlag,
-			strings.Join(spec.BlockedRegistries, ","))
+			shellescape.Quote(strings.Join(spec.BlockedRegistries, ",")))
 	}
 
 	if len(spec.InsecureRegistries) > 0 {
 		command += fmt.Sprintf(" --%s %s",
 			insecureRegistriesFlag,
-			strings.Join(spec.InsecureRegistries, ","))
+			shellescape.Quote(strings.Join(spec.InsecureRegistries, ",")))
 	}
 
 	if spec.AdditionalTrustedCaFile != "" {
 		command += fmt.Sprintf(" --%s %s",
 			additionalTrustedCaPathFlag,
-			spec.AdditionalTrustedCaFile)
+			shellescape.Quote(spec.AdditionalTrustedCaFile))
 	}
 
 	if spec.PlatformAllowlist != "" {
 		command += fmt.Sprintf(" --%s %s",
 			platformAllowlistFlag,
-			spec.PlatformAllowlist)
+			shellescape.Quote(spec.PlatformAllowlist))
 	}
 
 	if spec.AllowedRegistriesForImport != "" {
 		command += fmt.Sprintf(" --%s %s",
 			allowedRegistriesForImportFlag,
-			spec.AllowedRegistriesForImport)
+			shellescape.Quote(spec.AllowedRegistriesForImport))
 	}
 
 	return command
diff --git a/pkg/clusterregistryconfig/flags_test.go b/pkg/clusterregistryconfig/flags_test.go
index 7bf079e7c..ab45d85a9 100644
--- a/pkg/clusterregistryconfig/flags_test.go
+++ b/pkg/clusterregistryconfig/flags_test.go
@@ -62,17 +62,18 @@ var _ = Describe("Cluster Registry Config tests", func() {
 
 		It("Returns the expected string if set", func() {
 			spec.AllowedRegistries = []string{"abc.com", "efg.com"}
-			spec.InsecureRegistries = []string{"insecure.com"}
+			spec.InsecureRegistries = []string{"insecure.com", "*.insecure.com"}
 			spec.BlockedRegistries = []string{"blocked.com"}
 			spec.AdditionalTrustedCaFile = "ca.json"
 			spec.PlatformAllowlist = "allowlist-id"
-			spec.AllowedRegistriesForImport = "lala.com:true"
+			spec.AllowedRegistriesForImport = "lala.com:true,*.io:false"
 			output := BuildRegistryConfigOptions(spec)
 			expectedOutput := " --registry-config-allowed-registries abc.com,efg.com" +
 				" --registry-config-blocked-registries blocked.com" +
-				" --registry-config-insecure-registries insecure.com --registry-config-additional-trusted-ca ca.json" +
+				" --registry-config-insecure-registries 'insecure.com,*.insecure.com'" +
+				" --registry-config-additional-trusted-ca ca.json" +
 				" --registry-config-platform-allowlist allowlist-id" +
-				" --registry-config-allowed-registries-for-import lala.com:true"
+				" --registry-config-allowed-registries-for-import 'lala.com:true,*.io:false'"
 			Expect(output).To(Equal(expectedOutput))
 		})
 	})