Cluster Image Registry in OpenShift

Posted on Edited on In

OpenShift version: 4.3

Create Internal Image Registry Route

From the Infra Node, run the following commands. This will create a accessable path for you to push image to internal image registry.

1
2
3
4
oc project openshift-image-registry
oc patch configs.imageregistry.operator.openshift.io/cluster --type merge -p '{"spec":{"defaultRoute":true}}'
## we need this output when tag and push image
CLUSTER_IMAGE_REGISTRY_ROUTE=$(oc get route)

Pull, Tag and Push Image

Here we use podman:

1
2
3
4
5
6
7
8
9
10
11
12
13
## pull original from other registry
## or use podman to load image archive
podman login -u <user> -p <password> docker.io
podman load -i <image>.tar.gz

podman pull <path>/<image>:<tag>

export PRIVATE_REGISTRY=${CLUSTER_IMAGE_REGISTRY_ROUTE}/<project>
## kubeadmin is the default cluster admin
podman login -u kubeadmin -p $(oc whoami -t)  $PRIVATE_REGISTRY --tls-verify=false

podman tag  <path>/<image>:<tag> $PRIVATE_REGISTRY/<image>:<tag>
podman push $PRIVATE_REGISTRY/<image>:<tag>

Create Role and Binding

You need to get authenicated when pull image from cluster image registry, here we create a dedicated service account under the target project, then grant privileges to this service account and specify it to yaml file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
oc apply -f - << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: <service account name>
  namespace: <projetc>
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <cluster role name>
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <couster role binding name>
subjects:
  - kind: ServiceAccount
    name: <service account name>
    namespace: <project>
roleRef:
  kind: ClusterRole
  name: <cluster role name>
  apiGroup: rbac.authorization.k8s.io

Example pod yaml file:

1
2
3
4
5
6
7
8
9
10
11
apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec: 
  ## specify the service accout
  serviceAccountName: <service account name>
  containers:
  - name: test-cotainer
    image: image-registry.openshift-image-registry.svc:5000/<project>/<image>:<tag>
    command: ['sh', '-c', 'tail -f /dev/null']

Note that the default cluster registry path is image-registry.openshift-image-registry.svc:5000, consist of <svc name>.<project>.svc:<port>. don’t use that route path.