Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 5. Managing images
5.1. Managing images overview
With OpenShift Container Platform you can interact with images and set up image streams, depending on where the registries of the images are located, any authentication requirements around those registries, and how you want your builds and deployments to behave.
5.1.1. Images overview
An image stream comprises any number of container images identified by tags. It presents a single virtual view of related images, similar to a container image repository.
By watching an image stream, builds and deployments can receive notifications when new images are added or modified and react by performing a build or deployment, respectively.
5.2. Tagging images
The following sections provide an overview and instructions for using image tags in the context of container images for working with OpenShift Container Platform image streams and their tags.
5.2.1. Image tags
An image tag is a label applied to a container image in a repository that distinguishes a specific image from other images in an image stream. Typically, the tag represents a version number of some sort. For example, here
:v3.11.59-2registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11.59-2You can add additional tags to an image. For example, an image might be assigned the tags
:v3.11.59-2:latestOpenShift Container Platform provides the
oc tagdocker tag5.2.2. Image tag conventions
Images evolve over time and their tags reflect this. Generally, an image tag always points to the latest image built.
If there is too much information embedded in a tag name, like
v2.0.1-may-2019If the tag is named
v2.0Although tag naming convention is up to you, here are a few examples in the format
<image_name>:<image_tag>| Description | Example |
|---|---|
| Revision |
|
| Architecture |
|
| Base image |
|
| Latest (potentially unstable) |
|
| Latest stable |
|
If you require dates in tag names, periodically inspect old and unsupported images and
istags5.2.3. Adding tags to image streams
An image stream in OpenShift Container Platform comprises zero or more container images identified by tags.
There are different types of tags available. The default behavior uses a
permanentpermanentA
trackingProcedure
You can add tags to an image stream using the
command:oc tag$ oc tag <source> <destination>For example, to configure the
image streamrubytag to always refer to the current image for thestatic-2.0image streamrubytag:2.0$ oc tag ruby:2.0 ruby:static-2.0This creates a new image stream tag named
in thestatic-2.0image stream. The new tag directly references the image id that therubyimage stream tag pointed to at the timeruby:2.0was run, and the image it points to never changes.oc tagTo ensure the destination tag is updated when the source tag changes, use the
flag:--alias=true$ oc tag --alias=true <source> <destination>
Use a tracking tag for creating permanent aliases, for example,
lateststable-
You can also add the flag to have the destination tag be refreshed, or re-imported, periodically. The period is configured globally at the system level.
--scheduled=true The
flag creates an image stream tag that is not imported. The tag points to the source location, permanently.--referenceIf you want to instruct OpenShift Container Platform to always fetch the tagged image from the integrated registry, use
. The registry uses the pull-through feature to serve the image to the client. By default, the image blobs are mirrored locally by the registry. As a result, they can be pulled more quickly the next time they are needed. The flag also allows for pulling from insecure registries without a need to supply--reference-policy=localto the container runtime as long as the image stream has an insecure annotation or the tag has an insecure import policy.--insecure-registry
5.2.4. Removing tags from image streams
You can remove tags from an image stream.
Procedure
To remove a tag completely from an image stream run:
$ oc delete istag/ruby:latestor:
$ oc tag -d ruby:latest
5.2.5. Referencing images in imagestreams
You can use tags to reference images in image streams using the following reference types.
| Reference type | Description |
|---|---|
|
| An |
|
| An |
|
| A |
When viewing example image stream definitions you may notice they contain definitions of
ImageStreamTagDockerImageImageStreamImageThis is because the
ImageStreamImageImageStreamImageProcedure
To reference an image for a given image stream and tag, use
:ImageStreamTag<image_stream_name>:<tag>To reference an image for a given image stream and image
ID, usesha:ImageStreamImage<image_stream_name>@<id>The
is an immutable identifier for a specific image, also called a digest.<id>To reference or retrieve an image for a given external registry, use
:DockerImageopenshift/ruby-20-centos7:2.0NoteWhen no tag is specified, it is assumed the
tag is used.latestYou can also reference a third-party registry:
registry.redhat.io/rhel7:latestOr an image with a digest:
centos/ruby-22-centos7@sha256:3a335d7d8a452970c5b4054ad7118ff134b3a6b50a2bb6d0c07c746e8986b28e
5.3. Image pull policy
Each container in a pod has a container image. After you have created an image and pushed it to a registry, you can then refer to it in the pod.
5.3.1. Image pull policy overview
When OpenShift Container Platform creates containers, it uses the container
imagePullPolicyimagePullPolicy| Value | Description |
|---|---|
|
| Always pull the image. |
|
| Only pull the image if it does not already exist on the node. |
|
| Never pull the image. |
If a container
imagePullPolicy-
If the tag is , OpenShift Container Platform defaults
latesttoimagePullPolicy.Always -
Otherwise, OpenShift Container Platform defaults to
imagePullPolicy.IfNotPresent
5.4. Using image pull secrets
If you are using the OpenShift image registry and are pulling from image streams located in the same project, then your pod service account should already have the correct permissions and no additional action should be required.
However, for other scenarios, such as referencing images across OpenShift Container Platform projects or from secured registries, additional configuration steps are required.
You can obtain the image pull secret from Red Hat OpenShift Cluster Manager. This pull secret is called
pullSecretYou use this pull secret to authenticate with the services that are provided by the included authorities, Quay.io and registry.redhat.io, which serve the container images for OpenShift Container Platform components.
5.4.1. Allowing pods to reference images across projects
When using the OpenShift image registry, to allow pods in
project-aproject-bproject-asystem:image-pullerproject-bWhen you create a pod service account or a namespace, wait until the service account is provisioned with a docker pull secret; if you create a pod before its service account is fully provisioned, the pod fails to access the OpenShift image registry.
Procedure
To allow pods in
to reference images inproject-a, bind a service account inproject-bto theproject-arole insystem:image-puller:project-b$ oc policy add-role-to-user \ system:image-puller system:serviceaccount:project-a:default \ --namespace=project-bAfter adding that role, the pods in
that reference the default service account are able to pull images fromproject-a.project-bTo allow access for any service account in
, use the group:project-a$ oc policy add-role-to-group \ system:image-puller system:serviceaccounts:project-a \ --namespace=project-b
5.4.2. Allowing pods to reference images from other secured registries
To pull a secured container from other private or secured registries, you must create a pull secret from your container client credentials, such as Docker or Podman, and add it to your service account.
Both Docker and Podman use a configuration file to store authentication details to log in to secured or insecure registry:
-
Docker: By default, Docker uses .
$HOME/.docker/config.json -
Podman: By default, Podman uses .
$HOME/.config/containers/auth.json
These files store your authentication information if you have previously logged in to a secured or insecure registry.
Both Docker and Podman credential files and the associated pull secret can contain multiple references to the same registry if they have unique paths, for example,
quay.ioquay.io/<example_repository>Example config.json file
{
"auths":{
"cloud.openshift.com":{
"auth":"b3Blb=",
"email":"you@example.com"
},
"quay.io":{
"auth":"b3Blb=",
"email":"you@example.com"
},
"quay.io/repository-main":{
"auth":"b3Blb=",
"email":"you@example.com"
}
}
}Example pull secret
apiVersion: v1
data:
.dockerconfigjson: ewogICAiYXV0aHMiOnsKICAgICAgIm0iOnsKICAgICAgIsKICAgICAgICAgImF1dGgiOiJiM0JsYj0iLAogICAgICAgICAiZW1haWwiOiJ5b3VAZXhhbXBsZS5jb20iCiAgICAgIH0KICAgfQp9Cg==
kind: Secret
metadata:
creationTimestamp: "2021-09-09T19:10:11Z"
name: pull-secret
namespace: default
resourceVersion: "37676"
uid: e2851531-01bc-48ba-878c-de96cfe31020
type: Opaque5.4.2.1. Creating a pull secret
Procedure
Create a secret from an existing authentication file:
For Docker clients using
, enter the following command:.docker/config.json$ oc create secret generic <pull_secret_name> \ --from-file=.dockerconfigjson=<path/to/.docker/config.json> \ --type=kubernetes.io/dockerconfigjsonFor Podman clients using
, enter the following command:.config/containers/auth.json$ oc create secret generic <pull_secret_name> \ --from-file=<path/to/.config/containers/auth.json> \ --type=kubernetes.io/podmanconfigjson
If you do not already have a Docker credentials file for the secured registry, you can create a secret by running the following command:
$ oc create secret docker-registry <pull_secret_name> \ --docker-server=<registry_server> \ --docker-username=<user_name> \ --docker-password=<password> \ --docker-email=<email>
5.4.2.2. Using a pull secret in a workload
You can use a pull secret to allow workloads to pull images from a private registry with one of the following methods:
-
By linking the secret to a , which automatically applies the secret to all pods using that service account.
ServiceAccount -
By defining directly in workload configurations, which is useful for environments like GitOps or ArgoCD.
imagePullSecrets
Procedure
You can use a secret for pulling images for pods by adding the secret to your service account. Note that the name of the service account should match the name of the service account that pod uses. The default service account is
.defaultEnter the following command to link the pull secret to a
:ServiceAccount$ oc secrets link default <pull_secret_name> --for=pullTo verify the change, enter the following command:
$ oc get serviceaccount default -o yamlExample output
apiVersion: v1 imagePullSecrets: - name: default-dockercfg-123456 - name: <pull_secret_name> kind: ServiceAccount metadata: annotations: openshift.io/internal-registry-pull-secret-ref: <internal_registry_pull_secret> creationTimestamp: "2025-03-03T20:07:52Z" name: default namespace: default resourceVersion: "13914" uid: 9f62dd88-110d-4879-9e27-1ffe269poe3 secrets: - name: <pull_secret_name>
Instead of linking the secret to a service account, you can alternatively reference it directly in your pod or workload definition. This is useful for GitOps workflows such as ArgoCD. For example:
Example pod specification
apiVersion: v1 kind: Pod metadata: name: <secure_pod_name> spec: containers: - name: <container_name> image: quay.io/my-private-image imagePullSecrets: - name: <pull_secret_name>Example ArgoCD workflow
apiVersion: argoproj.io/v1alpha1 kind: Workflow metadata: generateName: <example_workflow> spec: entrypoint: <main_task> imagePullSecrets: - name: <pull_secret_name>
5.4.2.3. Pulling from private registries with delegated authentication
A private registry can delegate authentication to a separate service. In these cases, image pull secrets must be defined for both the authentication and registry endpoints.
Procedure
Create a secret for the delegated authentication server:
$ oc create secret docker-registry \ --docker-server=sso.redhat.com \ --docker-username=developer@example.com \ --docker-password=******** \ --docker-email=unused \ redhat-connect-sso secret/redhat-connect-ssoCreate a secret for the private registry:
$ oc create secret docker-registry \ --docker-server=privateregistry.example.com \ --docker-username=developer@example.com \ --docker-password=******** \ --docker-email=unused \ private-registry secret/private-registry
5.4.3. Updating the global cluster pull secret
You can update the global pull secret for your cluster by either replacing the current pull secret or appending a new pull secret.
To transfer your cluster to another owner, you must initiate the transfer in OpenShift Cluster Manager and then update the pull secret on the cluster. Updating a cluster’s pull secret without initiating the transfer in OpenShift Cluster Manager causes the cluster to stop reporting Telemetry metrics in OpenShift Cluster Manager.
For more information, see "Transferring cluster ownership" in the Red Hat OpenShift Cluster Manager documentation.
Prerequisites
-
You have access to the cluster as a user with the role.
cluster-admin
Procedure
Optional: To append a new pull secret to the existing pull secret, complete the following steps:
Enter the following command to download the pull secret:
$ oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' > <pull_secret_location>1 - 1
<pull_secret_location>: Include the path to the pull secret file.
Enter the following command to add the new pull secret:
$ oc registry login --registry="<registry>" \1 --auth-basic="<username>:<password>" \2 --to=<pull_secret_location>3 - 1
<registry>: Include the new registry. You can include many repositories within the same registry, for example:--registry="<registry/my-namespace/my-repository>.- 2
<username>:<password>: Include the credentials of the new registry.- 3
<pull_secret_location>: Include the path to the pull secret file.
You can also perform a manual update to the pull secret file.
Enter the following command to update the global pull secret for your cluster:
$ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location>1 - 1
<pull_secret_location>: Include the path to the new pull secret file.
This update rolls out to all nodes, which can take some time depending on the size of your cluster.
NoteAs of OpenShift Container Platform 4.7.4, changes to the global pull secret no longer trigger a node drain or reboot.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}