Chapter 7. Using image streams with Kubernetes resources
Image streams, being OpenShift Container Platform native resources, work with all native resources available in OpenShift Container Platform, such as Build
or DeploymentConfigs
resources. It is also possible to make them work with native Kubernetes resources, such as Job
, ReplicationController
, ReplicaSet
or Kubernetes Deployment
resources.
7.1. Enabling image streams with Kubernetes resources
When using image streams with Kubernetes resources, you can only reference image streams that reside in the same project as the resource. The image stream reference must consist of a single segment value, for example ruby:2.5
, where ruby
is the name of an image stream that has a tag named 2.5
and resides in the same project as the resource making the reference.
Do not run workloads in or share access to default projects. Default projects are reserved for running core cluster components.
The following default projects are considered highly privileged: default
, kube-public
, kube-system
, openshift
, openshift-infra
, openshift-node
, and other system-created projects that have the openshift.io/run-level
label set to 0
or 1
. Functionality that relies on admission plugins, such as pod security admission, security context constraints, cluster resource quotas, and image reference resolution, does not work in highly privileged projects.
There are two ways to enable image streams with Kubernetes resources:
- Enabling image stream resolution on a specific resource. This allows only this resource to use the image stream name in the image field.
- Enabling image stream resolution on an image stream. This allows all resources pointing to this image stream to use it in the image field.
Procedure
You can use oc set image-lookup
to enable image stream resolution on a specific resource or image stream resolution on an image stream.
To allow all resources to reference the image stream named
mysql
, enter the following command:$ oc set image-lookup mysql
This sets the
Imagestream.spec.lookupPolicy.local
field to true.Imagestream with image lookup enabled
apiVersion: image.openshift.io/v1 kind: ImageStream metadata: annotations: openshift.io/display-name: mysql name: mysql namespace: myproject spec: lookupPolicy: local: true
When enabled, the behavior is enabled for all tags within the image stream.
Then you can query the image streams and see if the option is set:
$ oc set image-lookup imagestream --list
You can enable image lookup on a specific resource.
To allow the Kubernetes deployment named
mysql
to use image streams, run the following command:$ oc set image-lookup deploy/mysql
This sets the
alpha.image.policy.openshift.io/resolve-names
annotation on the deployment.Deployment with image lookup enabled
apiVersion: apps/v1 kind: Deployment metadata: name: mysql namespace: myproject spec: replicas: 1 template: metadata: annotations: alpha.image.policy.openshift.io/resolve-names: '*' spec: containers: - image: mysql:latest imagePullPolicy: Always name: mysql
You can disable image lookup.
To disable image lookup, pass
--enabled=false
:$ oc set image-lookup deploy/mysql --enabled=false