Search code examples
openshift

How do I use an imagestream from another namespace in openshift?

I have been breaking my head over the following:

I have a set of buildconfigs that build images and create imagestreams for it in the "openshift" namespace. This gives me for example the netclient-userspace imagestream.

krist@MacBook-Pro netmaker % oc get is netclient-userspace
NAME                  IMAGE REPOSITORY                                                                 TAGS     UPDATED
netclient-userspace   image-registry.openshift-image-registry.svc:5000/openshift/netclient-userspace   latest   About an hour ago

What I have however not been able to figure out is how to use this imagestream in a deployment in a different namespace.

Take for example this:

kind: Pod
apiVersion: v1
metadata:
  name: netclient-test
  namespace: "kvb-netclient-test"
spec:
  containers:
    - name: netclient
      image: netclient-userspace:latest

When I deploy this I get errors...

Failed to pull image "netclient-userspace:latest": rpc error: code =
Unknown desc = reading manifest latest in
docker.io/library/netclient-userspace: errors: denied: requested
access to the resource is denied unauthorized: authentication required

So openshift goest and looks for the image on dockerhub. It shouldn't. How do I tell openshift to use the imagestream here?

Solution

  • When using an ImageStreamTag for a Deployment image source, you need to use the image.openshift.io/triggers annotation. It instructs OpenShift to replace the image: attribute in a Deployment with the value of an ImageStreamTag (and to redeploy it when the ImageStreamTag changes in the future).

    Importantly, note the annotation and the image: ' ' with the explicit space character in the yaml string.

    apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    image.openshift.io/triggers: '[{"from":{"kind":"ImageStreamTag","name":"content-netclient-userspace:latest","namespace":"openshift"},"fieldPath":"spec.template.spec.containers[?(@.name==\"netclient\")].image"}]'
  name: netclient-test
  namespace: "kvb-netclient-test"
spec:
  ...
  template:
    ...
    spec:
      containers:
      - command:
        - ...
        image: ' '
        name: netclient
...

    I will also mention that, in order to pull images from different namespaces, it may be required to authorize the Deployment's service account to do so: OpenShift Docs.