[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Imagestream promotion between projects



Hello,

I am trying to understand how to properly do ImageStream promotion between projects I own (i.e: project-build to project-prod)

I see in the documentation here https://docs.openshift.com/container-platform/3.9/dev_guide/managing_images.html#allowing-pods-to-reference-images-across-projects that I can allow projects with roles and policy which is something I am trying to avoid since this is done as admin.

If I don't do this and reference directly from project-prod the imagestream built on project-build I am getting a permission denied, for example this is snippet in my DC referencing the image : 

      from:
        kind: ImageStreamTag
        name: cakephp-mysql-persistent:latest
        namespace: project-build

and the error message denied access to the image from the other project : 

13s        13s         1         cakephp-mysql-persistent-2-ss6kv    Pod                     spec.containers{cakephp-mysql-persistent}   Warning   Failed                  kubelet, localhost            Failed to pull image "172.30.1.1:5000/project-build/cakephp-mysql-persistent sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b": rpc error: code = Unknown desc = unauthorized: authentication required


I have found another way which is having an ImageStream referencing my ImageStreamTag from the project-build namespace :

apiVersion: v1
kind: ImageStream
metadata:
  name: cakephp-mysql-persistent
spec:
  tags:
    - from:
        kind: ImageStreamTag
        name: cakephp-mysql-persistent:latest
        namespace: project-build
      name: latest

and then if I create the application and check my imagestreamtags : 

% oc create -f /tmp/x.yaml                                                                                                                                         
imagestream "cakephp-mysql-persistent" created
% oc get istag                                                                                                                                                     
NAME                              DOCKER REF                                                                                                              UPDATED       IMAGENAME
cakephp-mysql-persistent:latest   172.30.1.1:5000/project-run/cakephp-mysql-persistent sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b   9 hours ago   sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b

I see it imported the image tag from the imagestreamtag on project-build : 

% oc get istag -n project-build
NAME                              DOCKER REF                                                                                                               UPDATED       IMAGENAME
cakephp-mysql-persistent:latest   172.30.1.1:5000/project-build/cakephp-mysql-persistent sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b   9 hours ago   sha256:fec63a48c45a93ca41d2f409905c2bac651a2e809f9f2207d3da6e3be997a57b

and then my application can use it correctly when removing the namespace: project-build to use my own project namespace.

The weird part here is that the monitoring of new image is not refreshed and i need to recreate every time my imagestream to get the latest tagged image. Which then I would have to do that for promotion :

build in project-build which generate an image and imagesteamtag
delete imagestream in cakephp-mysql-persistent and recreate it with the same yaml which then recreate a istag imported from the latest image on project-build
deploy in project-run with the latest image built on project-build

So my questions here :

1) Is it the right behaviour can we rely on that ?
2) Is it normal ? Should we get permission denied when doing that, or be allowed to reference our own imagestreamtag from other project ?
3) Is there a better way (without having to launch admin command) ?

Thanks,
Chmouel



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]