This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.5.4. Using image pull secrets
If you are using the OpenShift Container Platform internal registry and are pulling from image streams located in the same project, then your pod service account should already have the correct permissions and no additional action should be required.
However, for other scenarios, such as referencing images across OpenShift Container Platform projects or from secured registries, then additional configuration steps are required.
You can obtain the image pull secret, pullSecret
, from the Pull Secret page on the Red Hat OpenShift Cluster Manager site.
You use this pull secret to authenticate with the services that are provided by the included authorities, including Quay.io and registry.redhat.io, which serve the container images for OpenShift Container Platform components.
Example config.json
file
5.4.1. Allowing pods to reference images across projects 复制链接链接已复制到粘贴板!
When using the internal registry, to allow pods in project-a
to reference images in project-b
, a service account in project-a
must be bound to the system:image-puller
role in project-b
.
Procedure
To allow pods in
project-a
to reference images inproject-b
, bind a service account inproject-a
to thesystem:image-puller
role inproject-b
:oc policy add-role-to-user \ system:image-puller system:serviceaccount:project-a:default \ --namespace=project-b
$ oc policy add-role-to-user \ system:image-puller system:serviceaccount:project-a:default \ --namespace=project-b
Copy to Clipboard Copied! Toggle word wrap Toggle overflow After adding that role, the pods in
project-a
that reference the default service account are able to pull images fromproject-b
.To allow access for any service account in
project-a
, use the group:oc policy add-role-to-group \ system:image-puller system:serviceaccounts:project-a \ --namespace=project-b
$ oc policy add-role-to-group \ system:image-puller system:serviceaccounts:project-a \ --namespace=project-b
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
The .dockercfg
$HOME/.docker/config.json
file for Docker clients is a Docker credentials file that stores your authentication information if you have previously logged into a secured or insecure registry.
To pull a secured container image that is not from OpenShift Container Platform’s internal registry, you must create a pull secret from your Docker credentials and add it to your service account.
Procedure
If you already have a
.dockercfg
file for the secured registry, you can create a secret from that file by running:oc create secret generic <pull_secret_name> \ --from-file=.dockercfg=<path/to/.dockercfg> \ --type=kubernetes.io/dockercfg
$ oc create secret generic <pull_secret_name> \ --from-file=.dockercfg=<path/to/.dockercfg> \ --type=kubernetes.io/dockercfg
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Or if you have a
$HOME/.docker/config.json
file:oc create secret generic <pull_secret_name> \ --from-file=.dockerconfigjson=<path/to/.docker/config.json> \ --type=kubernetes.io/dockerconfigjson
$ oc create secret generic <pull_secret_name> \ --from-file=.dockerconfigjson=<path/to/.docker/config.json> \ --type=kubernetes.io/dockerconfigjson
Copy to Clipboard Copied! Toggle word wrap Toggle overflow If you do not already have a Docker credentials file for the secured registry, you can create a secret by running:
oc create secret docker-registry <pull_secret_name> \ --docker-server=<registry_server> \ --docker-username=<user_name> \ --docker-password=<password> \ --docker-email=<email>
$ oc create secret docker-registry <pull_secret_name> \ --docker-server=<registry_server> \ --docker-username=<user_name> \ --docker-password=<password> \ --docker-email=<email>
Copy to Clipboard Copied! Toggle word wrap Toggle overflow To use a secret for pulling images for pods, you must add the secret to your service account. The name of the service account in this example should match the name of the service account the pod uses. The default service account is
default
:oc secrets link default <pull_secret_name> --for=pull
$ oc secrets link default <pull_secret_name> --for=pull
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
A private registry can delegate authentication to a separate service. In these cases, image pull secrets must be defined for both the authentication and registry endpoints.
Procedure
Create a secret for the delegated authentication server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Create a secret for the private registry:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow
5.4.3. Updating the global cluster pull secret 复制链接链接已复制到粘贴板!
You can update the global pull secret for your cluster.
Cluster resources must adjust to the new pull secret, which can temporarily limit the usability of the cluster.
Updating the global pull secret will cause node reboots while the Machine Config Operator (MCO) syncs the changes.
Prerequisites
- You have a new or modified pull secret file to upload.
-
You have access to the cluster as a user with the
cluster-admin
role.
Procedure
Enter the following command to update the global pull secret for your cluster:
oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull-secret-location>
$ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull-secret-location>
1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Provide the path to the new pull secret file.
This update is rolled out to all nodes, which can take some time depending on the size of your cluster. During this time, nodes are drained and pods are rescheduled on the remaining nodes.