cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
luca5492
Mission Specialist
Mission Specialist
Wednesday
  • 49 Views

[Section 3.5] Doubts regarding RBAC for cross project image reference

Hello to all,

I am trying to understand a particular scenario with the system:image-puller ClusterRole and the cross-project ImageStreams (section 3.5 of the course).

I am currently able to deploy a pod using a ImageStream in another namespace, but without the RoleBinding required by the documentation (5.4.1. Allowing pods to reference images across projects), which shouldn't be the case.

This happens through the following steps:

  • I create two projects, one containing the ImageStream (is-common) and another one with my application (is-app). The user I am using (developer) has the "admin" Role on both of them ("admin" RoleBinding defined).
  • The image stream has been created via "oc import-image hello-world --from quay.io/fedora/httpd-24 --reference-policy local --confirm", thus using the local OCP registry to provision the image
  • I create the RoleBinding via "oc policy add-role-to-group system:image-puller system:serviceaccounts:is-app -n is-common"
  • I am able to deploy apps in the other namespace via "oc new-app --name hello-world --image-stream hello-world -n is-app"
  • I remove the app in "is-app" and the RoleBinding for system:image-puller in "is-common"

After these steps, I have noticed the following:

  • If I try to deploy an app in "is-app", using an ImageStream Tag I have already deployed at least once before deleting the RoleBinding, I am still able to deploy the app.
    This seems to ignore the fact there are no more image-puller permissions for the "is-app" Service Accounts defined in "is-common".
  • If I try to create a tag with a different image (different sha256) or another ImageStream in "is-common" project, and try to deploy a new app using "is-app" project, it throws an ErrImagePull, as I would expect

I can understand the image-puller ClusterRole gives the permission to pull images, but can this be considered valid, if linked to an RBAC permission I can revoke?

In my head, if I remove the RBAC permission, I would expect to forbid the deploy of new applications using that ImageStream, maybe invalidating the Node cache, as the user of a certain project I revoked the permissions should not use the ImageStream.

Could you please advise me?

Thank you!
Luca

0 Kudos
Join the discussion
0 Replies
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2025 Red Hat, Inc. Privacy policy Terms of use