Reputation: 41
Openshift imagestream "Import failed (Unauthorized)" for private external secure registry
May be I'm not getting something right, but my ImageStream returnes "! error: Import failed (Unauthorized): you may not have access to the Docker image "my_registry:5000/project/my_image:latest"".
I have set up all needed steps to connect to external registry (created secret and added it to current projects's serviceaccount/default and serviceaccount/builder accounts). All deploymentconfigs with specified image: my_registry:5000/project/my_image:latest are working great, node can successfully pull the image and create a pod.
But when I am making image stream with:
from:
kind: DockerImage
name: my_registry:5000/project/my_image:latest
I get error that I am not authorised.
So what am i doing wrong? Is there any additional account I should give rights for pull?
oc describe sa/builder
Name: builder
Namespace: nginx
Labels: <none>
Image pull secrets: builder-dockercfg-8ogvt
my_registry
Mountable secrets: builder-token-v6w8q
builder-dockercfg-8ogvt
my_registry
Tokens: builder-token-0j8p5
builder-token-v6w8q
and
oc describe sa/default
Name: default
Namespace: nginx
Labels: <none>
Image pull secrets: default-dockercfg-wmm1h
my_registry
Mountable secrets: default-token-st7k9
default-dockercfg-wmm1h
Tokens: default-token-m2aoq
default-token-st7k9
Upvotes: 0
Views: 4377
Answers (2)
Reputation: 11
I ran into the same problem when I was trying to import an image from a docker registry hosted in another Openshift cluster. After some debugging I found the problem: Unable to find a secret to match https://docker-dev.xxxx.com:443/openshift/token (docker-dev.xxxx.com:443/openshift/token)
The Openshift Docker registry is using the OAuth of Openshift. So you have to create a secret where the --docker-server is pointing to the /openshift/token endpoint. eg:
oc secrets new-dockercfg registry.example.com \
--docker-server=https://registry.example.com:443/openshift/token \
--docker-username=default/puller-sa \
--docker-password=<token> \
[email protected]
Upvotes: 0
Reputation: 154
The solution depends upon your particular infrastructure configuration, but here are some pointers which worked for me -
- Assuming your private external registry has Certificates, please check if those certificates are properly imported, if thats not the case, then please add the registry as insecure.
- Docker pull, build config, imagestream pull - all work in different manner.
- Also it is recommended that pull secret name should be same as hostname of registry authentication endpoint. (If not using insecure registry).
- For ex. Registry FQDN Name:5000/yourapp:latest (Certificates need this to work properly).
Please take a look here
oc secrets link default <pull_secret_name> --for=pull
Upvotes: 1
Related Questions
- Unable to push docker image to Openshift Origin Docker registry
- Cannot externally access the OpenShift 4.2 built-in docker registry
- How to pull docker images from public registry and push it to private openshift?
- OpenShift import-image fails when behind corporate proxy
- OpenShift docker registry can't pull an image from registry-1.docker.io
- Unable to push a docker image to local OpenShift Origin registry
- Openshift: Error pulling image from remote, secure docker registry using certificates
- Importing Docker Images Images From The Public Registry Into OpenShift
- OpenshiftV3 Adding Docker Images from external Repository
- Create image-stream on image from private registry on OpenShift