Issue pulling image from openshift internal registry



I have exposed the  openshift internal registry using the following command from the redhat openshift documentation

1)oc patch --patch '{"spec":{"defaultRoute":true}}' --type merge

Then I got the route to the internal registry and try to pull a image from internal registry.  I have two parts to the question


Part 1:

Both podman pull, podman search does not work in DO288 lab environment, sudo podman works

I thought atleast podman search should work without sudo?? Skopeo inspect works however

Do we need to have any config changes to make podman work in /etc/containers?

Part 2:

+ when you are pulling the image, do we need to be in the same namespace from where the project was uploaded? 


Example i am trying to download a container image x from project Y(namespace Y), but i am currently in project Z (name space z)

My OCP user id did not create Project Y , so i am unable to make it as shared or modify policy. 

Basically i need a clear approach to pull images from internal registry using podman when we are not necessarily in the same name space for the image when it was uploaded to the internal registry



Labels (1)
0 Kudos
1 Reply

1. The oc patch command should have failed for you, please review your output. Students don't have cluster admin access on shared clusters from DO180, DO288 and other courses targeting developers.

The internal registry is already exposed in these classrooms and that explains why sudo podman pull and search work for you. But they would not work in other OpenShift clusters by default unless a cluster admin changes these settings.

Current DO288 is using versions of RHEL and podman that have incomplete support for rootless podman. You can see that all such commands in the course are "sudo podman".

2. podman has no idea of your current namespace for the oc command. If you podman login to the registry using an OpenShift user and password with has access to the namespace, podman should be able to pull images from it. The namespace is just a part of the image name from podman point of view.

So an user with admin role on the namespace of the image has to grant you access to images inside it.

OpenShift project admins are not cluster admins. If you create a project, you are its admin and can grant either admin, edit, or view roles on your projects to other users and share then with other users. These topics are covered by DO280 - Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster.

0 Kudos
Join the discussion
You must log in to join this conversation.