Prune has to connect to your registry server directly to delete blobs, and the registry does not support certificate based auth. The most consistent path would be to use a service account that had the appropriate permissions and get its token
with "oc serviceaccounts get-token".
On Mon, Dec 5, 2016 at 3:08 PM, Srinivas Naga Kotaru (skotaru)
<skotaru cisco com> wrote:
Am also interested to know the answer.
Am thinking we don’t need token for oadm command since it doesn’t use tokens or oauth based authentication. Since it is installed with root privileges, we are using sudo oadm command to
# sudo oadm prune builds --orphans --confirm
We’re not running internal registry for builds. Am not sure we still need to run prune operations in this scanario.
We are able to delete old deployments + old images (also inside the registry) with our oadm prune commands.
We want to put this in cronjobs. But to perform oadm commands we need to be authenticated. Which is the best way to authenticate in a cron job?
At the moment we have 1 admin account (with cluster-admin permissions) + we have the system:admin account.
Do we need a new account (or service account) for our cronjobs and which permission would we need?
Freedom...Courage...Commitment...Accountability ________________________________________________________________________ Red Hat GmbH, http://www.de.redhat.com/ Sitz: Grasbrunn, Handelsregister: Amtsgericht München, HRB 153243 Geschäftsführer: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill