Hello, I am trying to understand how to properly do ImageStream promotion between projects I own (i.e: project-build to project-prod)
I see in the documentation here https://docs.openshift.com/container-platform/3.9/dev_guide/managing_images.html#allowing-pods-to-reference-images-across-projects that I can allow projects with roles and policy which is something I am trying to avoid since this is done as admin. If I don't do this and reference directly from project-prod the imagestream built on project-build I am getting a permission denied, for example this is snippet in my DC referencing the image : from: kind: ImageStreamTag name: cakephp-mysql-persistent:latest namespace: project-build and the error message denied access to the image from the other project : 13s 13s 1 cakephp-mysql-persistent-2-ss6kv Pod spec.containers{cakephp-mysql-persistent} Warning Failed kubelet, localhost Failed to pull image " 172.30.1.1:5000/project-build/cakephp-mysql-persistent@sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b": rpc error: code = Unknown desc = unauthorized: authentication required I have found another way which is having an ImageStream referencing my ImageStreamTag from the project-build namespace : apiVersion: v1 kind: ImageStream metadata: name: cakephp-mysql-persistent spec: tags: - from: kind: ImageStreamTag name: cakephp-mysql-persistent:latest namespace: project-build name: latest and then if I create the application and check my imagestreamtags : % oc create -f /tmp/x.yaml imagestream "cakephp-mysql-persistent" created % oc get istag NAME DOCKER REF UPDATED IMAGENAME cakephp-mysql-persistent:latest 172.30.1.1:5000/project-run/cakephp-mysql-persistent@sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b 9 hours ago sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b I see it imported the image tag from the imagestreamtag on project-build : % oc get istag -n project-build NAME DOCKER REF UPDATED IMAGENAME cakephp-mysql-persistent:latest 172.30.1.1:5000/project-build/cakephp-mysql-persistent@sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b 9 hours ago sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b and then my application can use it correctly when removing the namespace: project-build to use my own project namespace. The weird part here is that the monitoring of new image is not refreshed and i need to recreate every time my imagestream to get the latest tagged image. Which then I would have to do that for promotion : build in project-build which generate an image and imagesteamtag delete imagestream in cakephp-mysql-persistent and recreate it with the same yaml which then recreate a istag imported from the latest image on project-build deploy in project-run with the latest image built on project-build So my questions here : 1) Is it the right behaviour can we rely on that ? 2) Is it normal ? Should we get permission denied when doing that, or be allowed to reference our own imagestreamtag from other project ? 3) Is there a better way (without having to launch admin command) ? Thanks, Chmouel
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
