oc policy add-role-to-user system:image-puller system:serviceaccount:promote:default -n s2i --config=openshift.local.config/master/admin.kubeconfig
oc who-can get imagestreams/layers -n s2i --config=openshift.local.config/master/admin.kubeconfig
On Fri, Oct 30, 2015 at 4:18 AM, Lorenz Vanthillo <lorenz vanthillo outlook com> wrote:Hi,
I was watching the video about promoting apps across environmets by veer muchandi of RH: https://www.youtube.com/watch?v=u6LT3efXL_4&index=14&list=PLaR6Rq6Z4Iqficb-XqeydZD_ZTD3XEwBp
I have a few questions about it:
- The understanding of an image-stream is not totally clear. I will try to explain what I think it is. So when you create an application by using S2I, than you will create a new image, which will be stored in your registry. It will also create an image-stream to that image. So I think it's a 'pointer' to the existing image in the image-stream. This image can be updated when the project, which has created the image, update something (for example of the source code). Than this image will change. The existing image-stream will detect an update of the image. The applications which are using the image-stream will be informed, and they will update their application with the 'new' image. Applications which are using the image (not the image-stream), will not be informed and will still using the 'old' image. Am I right?yes that's pretty much it. The bit you missed which might explain your confusion below is that ImageStreams contain ImageStreamTags, much like docker image repositories contain docker image tags. So an application really points to an ImageStreamTag within an ImageStream.
- On a certain moment, he is watching the image-stream of the development-project. And he's tagging the image etc. But for me it looks like the test-project will now use the image of the development-project and no image-stream. So it's not totally clear.at 8:25 in that video, the "tester" is creating a new application using the ImageStreamTag "test/development:promote" which exists in the "test/development" ImageStream, so yes, it's still using an ImageStream reference (specifically an ImageStreamTag within that ImageStream) and therefore will get different images as the ImageStreamTag is updated to point to different Images.
- I'm personally unable to use my tagged image: I get the following error:
http.request.uri="/v2/s2i/test/manifests/sha256:5b27476fe2b92de1c96fb1b0642dac3922fbd738734e5267ec9a293bebd7a9ee" http.request.useragent="docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.14.1.el7.x86_64 os/linux arch/amd64" instance.id=3f5a3d8a-f112-4ba3-b888-7ed8ee8636e0 vars.name="s2i/test" vars.reference="sha256:5b27476fe2b92de1c96fb1b0642dac3922fbd738734e5267ec9a293bebd7a9ee"
time="2015-10-28T14:02:22Z" level=debug msg="Origin auth: checking for access to repository:s2i/test:pull"
time="2015-10-28T14:02:22Z" level=error msg="OpenShift access denied: User \"system:serviceaccount:promote:default\" cannot get imagestreams/layers in project \"s2i\""
time="2015-10-28T14:02:22Z" level=error msg="error authorizing context: access denied" http.request.host="172.30.237.210:5000" http.request.id=88efd3c0-f5f6-4591-a9d6-1a2f1123201d http.request.method=GET http.request.remoteaddr="10.1.2.1:53348" http.request.uri="/v2/s2i/test/manifests/sha256:5b27476fe2b92de1c96fb1b0642dac3922fbd738734e5267ec9a293bebd7a9ee" http.request.useragent="docker/1.7.1 go/go1.4.2 kernel/3.10.0-229.14.1.el7.x86_64 os/linux arch/amd64" instance.id=3f5a3d8a-f112-4ba3-b888-7ed8ee8636e0 vars.name="s2i/test" vars.reference="sha256:5b27476fe2b92de1c96fb1b0642dac3922fbd738734e5267ec9a293bebd7a9ee"Sounds like you missed a permission granting step somewhere. Jordan or David (on cc) can probably tell you which one.
I found this issue:
But it's not working for me
users mailing list
users lists openshift redhat com
--Ben Parees | OpenShift