Glossary:
Container Registry:
- An internal or external, public or private (requiring authentication) repository of application container images or image streams
Image Pull Secret:
- A Kubernetes secret/API key that provides authentication to a container repository
Container Image:
- An application image of a specific version that can be deployed from a container repository
Image Stream:
- An image stream allows a subscription to any number of container images (0 to n) identified by tags, providing a single view of related container images. The view also provides notifications of new images added/modified, and allow auto performance of builds or deployments based on those notifications. Is an OCP abstraction for decoupling the usage of containers from changes in the container image name.
Image Tags:
- A tag applied to a container image that allows them to be identified and grouped. The primary use is versioning, architecture, and names.
Example: The Apache tags are 2.4.67, latest, 2.4.67-trixie, trixie, 2.4.67-alpine, and alpine, among others. The latest tag has three architectures, linux/386, linux/amd64, and linux/arm/v5
Referencing Images in Image Streams:
Reference by ImageStreamTag:
- Syntax: <image_stream_name>:<tag>
Reference by ImageStreamImage:
- Syntax: <image_stream_name>@<id_hash:id>
Example:
openshift/httpd-centos8@sha256:123abc...cba321
Reference by DockerImage (standard Docker pull specification):
- Syntax: <user_id_or_namespace>/<target_image_repo_nm>:<tag>
Exmaple:
openshift/httpd-centos8:11.0
or
registry.redhat.io/rhel10:latest
Tagging an Image with Docker:
Tagging an image using the docker tag command.
- Syntax: docker tag <source_image_nm> <registry_host>:<port>/<user_id_or_namespace>/<target_image_repo_nm>:<tag>
Notes:
- Port is needed if not running on standard TLS port 443.
- Tag can be left off for the default which is the latest image :Latest
Examples:
- Tag by name:
$ docker tag httpd fedora/httpd:version11.0
- Tag private repository:
$ docker tag httpd myrepohost.mydomain.ext:5000/fedora/httpd:version11.0
Tagging an Image Stream with OC:
- Syntax: oc tag <source> <destination>
$ oc tag httpd:11.0 httpd:static-11.0
For the above example, the httpd image stream has a new tag named static-11.0.
Notes:
- Default type is permanent, so if the source changes, the destination tag does not change.
- Use --alias=true <source> <destination> to ensure a destination tag is updated when the source tag changes.
- Use --scheduled=true for the destination tag to be refreshed/re-imported periodically
- - period is set globally set in the Image Policy Configuration Parameters
- - ScheduledImageImportMinimumIntervalSeconds = default value is 15 minutes (in seconds)
- - MaxScheduledImageImportsPerMinute = default maximum value is 60
Recommended Image Tagging Versioning:
| Description | Example |
| Revision | myimage:v2.0.1 |
| Architecture | myimage:v2.0-x86_64 |
| Base image | myimage:v1.2-centos7 |
| Latest (potentially unstable) | myimage:latest |
| Latest stable | myimage:stable |
Removing/Deleting Tags from Image Streams:
- Syntax: oc delete <destination>
Example:
$ oc delete fedora/httpd:version11.0
or
$ oc delete httpd:version11.0
Commands to Set or Examine Image Streams:
Retrieve ID value for an image stream:
- Syntax: oc describe is <image_stream_name>
Retrieve ImageStreamImage definition using the name and the ID:
- Syntax: oc get -o yaml --export isimage <image_stream_name>@<id>
Query an image stream to see if a resource is using an image stream for a deployment/project:
- Syntax: oc set image-lookup
Instead of query, set a resource to reference an image stream:
- Syntax: oc set image-lookup <image_stream_name>
e.g.
Allow resources in a project to reference the image stream mysql:
$ oc set image-lookup mysql
Note:
Technically, this adds image stream resolution for a resource by inserting an annotation for the image in that resource's image field. In the YAML it sets:
apiVersion: v1
kind: ImageStream
metadata:
annotations:
openshift.io/display-name: mysql
name: mysql
namespace: mysqldeploymentproject
spec:
lookupPolicy:
local: true
Disable a resource using an image stream:
- Syntax: oc set image-lookup <image_stream_name> --enabled=false
e.g.
Remove the deployment mysql from using the image:
$ oc set image-lookup deploy/mysql --enabled=false
Pulling an Image via OC:
Login to OCP:
$ oc login
Get the access token used with OCP for use on the next step:
$ oc whoami -t
<copy the token output>
Login using the token as the password via Docker:
$ docker login -u <user_name> -e <email_address> -p <token_value_pasted> <registry_host>:<port>
Notes:
- In order to pull an image, the <user_name> must have the get rights on the requested <imagestream>.
- In order to update an image, the <user_name> must have the update rights on the requested <imagestream>.
- In order to list respository images, the <user_name> must have the list rights on the requested <imagestream> in the whole cluster.
- By default, all service accounts in a project have rights to pull any image in the same project, and the builder service account has rights to push any image in that same project.
Grant Permission for a User to List Repositories:
Syntax: oc adm policy add-cluster-role-to-user registry-viewer <user>
List Repositories:
Login to OCP:
$ oc login -u user
Using the token, get the first 100 imagestreams:
$ curl -v -u unused:$(oc whoami -t) https://<registry_server>:<port>/v2/_catalog?n=100
Note:
The Red Hat OCP documentation recommends pagination because asking for all of a large repository is "very expensive".
Kubernetes/OCP Secret Types:
opaque
- Uses/allows unstructured key name and value pairs w/o validation, meaning that this secret does not conform to any of the structured other types (default type)
kubernetes.io/service-account-token
- Uses a service account token
kubernetes.io/dockercfg
- Uses the .dockercfg file, for required Docker credentials
kubernetes.io/dockerconfigjson
- Uses the .docker/config.json file for required Docker credentials
kubernetes.io/basic-auth
- Use with Basic Authentication
kubernetes.io/ssh-auth
- Use with SSH Key Authentication
kubernetes.io/tls
- Use with TLS certificate authorities
previous page
|