Glossary:
Container Registry:
- An internal or external, public or private (requiring authentication) repository of application container images or image streams
Image Pull Secret:
- A Kubernetes secret/API key that provides authentication to a container repository
Container Image:
- An application image of a specific version that can be deployed from a container repository
Image Stream:
- An image stream allows a subscription to any number of container images (0 to n) identified by tags, providing a single view of related container images. The view also provides notifications of new images added/modified, and allow auto performance of builds or deployments based on those notifications.
Image Tags:
- A tag applied to a container image that allows them to be identified and grouped. The primary use is versioning, architecture, and names.
Example: The Apache tags are 2.4.67, latest, 2.4.67-trixie, trixie, 2.4.67-alpine, and alpine, among others. The latest tag has three architectures, linux/386, linux/amd64, and linux/arm/v5
Referencing Images in Image Streams:
Reference by ImageStreamTag:
- Syntax: <image_stream_name>:<tag>
Reference by ImageStreamImage:
- Syntax: <image_stream_name>@<id_hash:id>
Example:
openshift/httpd-centos8@sha256:123abc...cba321
Reference by DockerImage (standard Docker pull specification):
- Syntax: <user_id_or_namespace>/<target_image_repo_nm>:<tag>
Exmaple:
openshift/httpd-centos8:11.0
or
registry.redhat.io/rhel10:latest
Tagging an Image with Docker:
Tagging an image using the docker tag command.
- Syntax: docker tag <source_image_nm> <registry_host>:<port>/<user_id_or_namespace>/<target_image_repo_nm>:<tag>
Notes:
- Port is needed if not running on standard TLS port 443.
- Tag can be left off for the default which is the latest image :Latest
Examples:
- Tag by name:
$ docker tag httpd fedora/httpd:version11.0
- Tag private repository:
$ docker tag httpd myrepohost.mydomain.ext:5000/fedora/httpd:version11.0
Tagging an Image Stream with OC:
- Syntax: oc tag <source> <destination>
$ oc tag httpd:11.0 httpd:static-11.0
For the above example, the httpd image stream has a new tag named static-11.0.
Notes:
- Default type is permanent, so if the source changes, the destination tag does not change.
- Use --alias=true <source> <destination> to ensure a destination tag is updated when the source tag changes.
- Use --scheduled=true for the destination tag to be refreshed/re-imported periodically
- - period is set globally set in the Image Policy Configuration Parameters
- - ScheduledImageImportMinimumIntervalSeconds = default value is 15 minutes (in seconds)
- - MaxScheduledImageImportsPerMinute = default maximum value is 60
Recommended Image Tagging Versioning:
| Description | Example |
| Revision | myimage:v2.0.1 |
| Architecture | myimage:v2.0-x86_64 |
| Base image | myimage:v1.2-centos7 |
| Latest (potentially unstable) | myimage:latest |
| Latest stable | myimage:stable |
Removing/Deleting Tags from Image Streams:
- Syntax: oc delete <destination>
Example:
$ oc delete fedora/httpd:version11.0
or
$ oc delete httpd:version11.0
Commands to Set or Examine Image Streams:
Retrieve ID value for an image stream:
- Syntax: oc describe is <image_stream_name>
Retrieve ImageStreamImage definition using the name and the ID:
- Syntax: oc get -o yaml --export isimage <image_stream_name>@<id>
Query an image stream to see if a resource is using an image stream for a deployment/project:
- Syntax: oc set image-lookup
Instead of query, set a resource to reference an image stream:
- Syntax: oc set image-lookup <image_stream_name>
e.g.
Allow resources in a project to reference the image stream mysql:
$ oc set image-lookup mysql
Note:
Technically, this adds image stream resolution for a resource by inserting an annotation for the image in that resource's image field. In the YAML it sets:
apiVersion: v1
kind: ImageStream
metadata:
annotations:
openshift.io/display-name: mysql
name: mysql
namespace: mysqldeploymentproject
spec:
lookupPolicy:
local: true
Disable a resource using an image stream:
- Syntax: oc set image-lookup <image_stream_name> --enabled=false
e.g.
Remove the deployment mysql from using the image:
$ oc set image-lookup deploy/mysql --enabled=false
Pulling an Image via OC:
Login to OCP:
$ oc login
Get the access token used with OCP for use on the next step:
$ oc whoami -t
<copy the token output>
Login using the token as the password via Docker:
$ docker login -u <user_name> -e <email_address> -p <token_value_pasted> <registry_host>:<port>
Notes:
- In order to pull an image, the <user_name> must have the get rights on the requested <imagestream>.
- In order to update an image, the <user_name> must have the update rights on the requested <imagestream>.
- In order to list respository images, the <user_name> must have the list rights on the requested <imagestream> in the whole cluster.
- By default, all service accounts in a project have rights to pull any image in the same project, and the builder service account has rights to push any image in that same project.
Grant Permission for a User to List Repositories:
Syntax: oc adm policy add-cluster-role-to-user registry-viewer <user>
List Repositories:
Login to OCP:
$ oc login -u user
Using the token, get the first 100 imagestreams:
$ curl -v -u unused:$(oc whoami -t) https://<registry_server>:<port>/v2/_catalog?n=100
Note:
The Red Hat OCP documentation recommends pagination because asking for all of a large repository is "very expensive".
Kubernetes/OCP Secret Types:
opaque
- Uses/allows unstructured key name and value pairs w/o validation, meaning that this secret does not conform to any of the structured other types (default type)
kubernetes.io/service-account-token
- Uses a service account token
kubernetes.io/dockercfg
- Uses the .dockercfg file, for required Docker credentials
kubernetes.io/dockerconfigjson
- Uses the .docker/config.json file for required Docker credentials
kubernetes.io/basic-auth
- Use with Basic Authentication
kubernetes.io/ssh-auth
- Use with SSH Key Authentication
kubernetes.io/tls
- Use with TLS certificate authorities
previous page
|