[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Use token of a default service account to pull images

Thanks! exactly where I'm looking for. Can you maybe give some more information about that project in which I will create the sa.
How it has to be secured. Or is it recommended to create such an account in openshift-management or some of the default projects.


From: jliggitt redhat com
Date: Tue, 19 Jul 2016 09:23:50 -0400
Subject: Re: Use token of a default service account to pull images
To: lorenz vanthillo outlook com
CC: users lists openshift redhat com

If you want a single external integration to have push access to all projects, you don't need a service account in every namespace. You can create a single service account, and grant that service account push access to all namespaces.

oc sa create external-jenkins -n myns
oadm policy add-cluster-role-to-user system:image-builder system:serviceaccount:myns:external-jenkins
oc sa get-token external-jenkins -n myns

That service account would then have push/pull access to every namespace on the cluster. Note that the service account and its credentials should live in a closely guarded project.

On Tue, Jul 19, 2016 at 9:12 AM, Lorenz Vanthillo <lorenz vanthillo outlook com> wrote:

We have an external jenkins which is pushing images in our OpenShift Registry.
So in jenkins we perform:

docker login -u user \
-p token registry.xxx.xxx

How do we obtain this token?
Well, for every project we perform these steps:

$ oc new-project test-push

$ oc create serviceaccount pusher

$ oc policy add-role-to-user system:image-builder system:serviceaccount:test-push:pusher


$ oc describe sa pusher

Name: pusher

Namespace: pushed

Labels: <none>



Mountable secrets:  pusher-token-fxg2k





Tokens:             pusher-token-98rix



$ oc describe secret pusher-token-98rix

And copy the token part. We use this token to authenticate on our registry in Jenkins.
token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MixxxlYVz8LYsNpkd1PGQGE5Jtegnr5GoFDk5wKxzA7GT1zXt2vVg

Inspirated by this blog: https://blog.openshift.com/remotely-push-pull-container-images-openshift/

But now we have the following question:
Is there a way to create a global service account which is automatically generated when we create a new project. (so that we have 4 default sa).
And this service account has automatically a pusher-token which is always the same?

So that every login via Jenkins can use the same token (no unique token for each openshift project).

Thanks in advance

users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]