5.4. Using image pull secrets
To authenticate with container registries and pull images across OpenShift Container Platform projects or from secured registries, you can configure and use image pull secrets.
You first obtain the registry authentication credentials, which are typically found in the ~/.docker/config.json file for Docker or the ~/.config/containers/auth.json file for Podman, created by the pull secret from Red Hat OpenShift Cluster Manager process. This content is then used to create or update the global pullSecret object within your cluster, allowing access to images from quay.io and registry.redhat.io.
If you are using the OpenShift image registry and are pulling from image streams located in the same project, then your pod service account should already have the correct permissions. No additional action should be required.
5.4.1. Allowing pods to reference images across projects 复制链接链接已复制到粘贴板!
To allow pods in one OpenShift Container Platform project to reference images from another project, you can bind a service account to the system:image-puller role in the target project. Use the oc policy add-role-to-user or oc policy add-role-to-group command to grant cross-project image access.
When you create a pod service account or a namespace, wait until the service account is provisioned with a Docker pull secret. If you create a pod before its service account is fully provisioned, the pod fails to access the OpenShift image registry.
Procedure
Allow pods in
project-ato reference images inproject-bby entering the following command. In this example, the service accountdefaultinproject-ais bound to thesystem:image-pullerrole inproject-b:$ oc policy add-role-to-user \ system:image-puller system:serviceaccount:project-a:default \ --namespace=project-bOptional: Allow access for any service account in
project-aby using theadd-role-to-groupflag. For example:$ oc policy add-role-to-group \ system:image-puller system:serviceaccounts:project-a \ --namespace=project-b