第5章 Accessing the registry
Use the following sections for instructions on accessing the registry, including viewing logs and metrics, as well as securing and exposing the registry.
You can access the registry directly to invoke podman commands. This allows you to push images to or pull them from the integrated registry directly using operations like podman push or podman pull. To do so, you must be logged in to the registry using the oc login command. The operations you can perform depend on your user permissions, as described in the following sections.
Prerequisites
- You must have configured an identity provider (IDP).
For pulling images, for example when using the
podman pullcommand, the user must have theregistry-viewerrole. To add this role:$ oc policy add-role-to-user registry-viewer <user_name>
For writing or pushing images, for example when using the
podman pushcommand, the user must have theregistry-editorrole. To add this role:$ oc policy add-role-to-user registry-editor <user_name>
5.1. Accessing registry directly from the cluster
You can access the registry from inside the cluster.
Procedure
Access the registry from the cluster by using internal routes:
Access the node by getting the node’s address:
$ oc get nodes $ oc debug nodes/<node_address>
In order to have access to tools such as
ocandpodmanon the node, run the following command:sh-4.2# chroot /host
Log in to the container image registry by using your access token:
sh-4.4# oc login -u kubeadmin -p <password_from_install_log> https://api-int.<cluster_name>.<base_domain>:6443 sh-4.4# podman login -u kubeadmin -p $(oc whoami -t) image-registry.openshift-image-registry.svc:5000
You should see a message confirming login, such as:
Login Succeeded!
注記You can pass any value for the user name; the token contains all necessary information. Passing a user name that contains colons will result in a login failure.
Since the Image Registry Operator creates the route, it will likely be similar to
default-route-openshift-image-registry.<cluster_name>.Perform
podman pullandpodman pushoperations against your registry:重要You can pull arbitrary images, but if you have the system:registry role added, you can only push images to the registry in your project.
In the following examples, use:
Component Value <registry_ip>
172.30.124.220<port>
5000<project>
openshift<image>
image<tag>
omitted (defaults to
latest)Pull an arbitrary image:
$ podman pull name.io/image
Tag the new image with the form
<registry_ip>:<port>/<project>/<image>. The project name must appear in this pull specification for OpenShift Container Platform to correctly place and later access the image in the registry:$ podman tag name.io/image image-registry.openshift-image-registry.svc:5000/openshift/image
注記You must have the
system:image-builderrole for the specified project, which allows the user to write or push an image. Otherwise, thepodman pushin the next step will fail. To test, you can create a new project to push the image.Push the newly-tagged image to your registry:
$ podman push image-registry.openshift-image-registry.svc:5000/openshift/image
