Thanks! exactly where I'm looking for. Can you maybe give some more information about that project in which I will create the sa. How it has to be secured. Or is it recommended to create such an account in openshift-management or some of the default projects.
Thanks From: [email protected] Date: Tue, 19 Jul 2016 09:23:50 -0400 Subject: Re: Use token of a default service account to pull images To: [email protected] CC: [email protected] If you want a single external integration to have push access to all projects, you don't need a service account in every namespace. You can create a single service account, and grant that service account push access to all namespaces. oc sa create external-jenkins -n myns oadm policy add-cluster-role-to-user system:image-builder system:serviceaccount:myns:external-jenkins oc sa get-token external-jenkins -n myns That service account would then have push/pull access to every namespace on the cluster. Note that the service account and its credentials should live in a closely guarded project. On Tue, Jul 19, 2016 at 9:12 AM, Lorenz Vanthillo <[email protected]> wrote: Hi, We have an external jenkins which is pushing images in our OpenShift Registry. So in jenkins we perform: docker login -u user \ -p token registry.xxx.xxx How do we obtain this token? Well, for every project we perform these steps: $ oc new-project test-push $ oc create serviceaccount pusher $ oc policy add-role-to-user system:image-builder system:serviceaccount:test-push:pusher $ oc describe sa pusher Name: pusher Namespace: pushed Labels: <none> Mountable secrets: pusher-token-fxg2k pusher-dockercfg-vwddo Tokens: pusher-token-98rix pusher-token-fxg2k $ oc describe secret pusher-token-98rix And copy the token part. We use this token to authenticate on our registry in Jenkins.token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MixxxlYVz8LYsNpkd1PGQGE5Jtegnr5GoFDk5wKxzA7GT1zXt2vVg Inspirated by this blog: https://blog.openshift.com/remotely-push-pull-container-images-openshift/ But now we have the following question: Is there a way to create a global service account which is automatically generated when we create a new project. (so that we have 4 default sa). And this service account has automatically a pusher-token which is always the same? So that every login via Jenkins can use the same token (no unique token for each openshift project). Thanks in advance _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
