OpenShift provides a single namespace containing all the ImageStreams that could be considered part of the platform: all these images are maintained and provided by OpenShift Origin, CentOS, Software Collections Library or Red Hat.

One separate Namespace for your Images

It could be considered a good practice to separate all the ImageStreams provided by your own organization into one namespace, declaring them to be the "officially supported ACME Corp container images". Let’s call this namespace acme-corp throughout this article. These container images from acme-corp could be provided and maintained by ACME Corp’s IT DevOps Team. You can read more on the interfaces between Dev and Ops on the Red Hat Enterprise Linux Blog.

Accessing them just like they are from openshift namespace

OpenShift references Images (the OpenShift configuration item not the container image itself) in many situations: as part of a BuildConfig or as part of a DeploymentConfig, for example, to start a new deployment when an ImageChange trigger is received from an ImageStreamTag.

To receive these triggers, and to use/pull a container image from a different namespace, some configurations need to be done:

  • Project A (the project using the image from our officially supported ACME Corp container images namespace) must be authorized to pull images

  • Each project needs to be authorized to pull images from there

  • This configuration must be automated

Granting access from specific actions between namespaces could be accomplished by using oc adm add-role-to-group system:image-puller system:serviceaccounts:project-a -n acme-corp. This will enable project A to pull images from any ImageStream in namespace acme-corp. You might repeat that for each project that shall be allowed to access acme-corp, but if we assume that all projects shall be granted access to acme-corp ImageStream, a more elegant way is to modify the project template of OpenShift.

Configuring your Project Template

Modifying OpenShift’s template for projects is a simple operation:

  • a template must be created within the default namespace, and

  • the master must be reconfigured to use this template

So let’s see what the default project template looks like. It is embedded with OpenShift so we cannot find it somewhere on disk - we need to get it out and create a file to store it: oc adm create-bootstrap-project-template -o yaml > acme-project-template.yaml. To create (or later on replace) a template in OpenShift use oc create -f acme-project-template.yaml.

What you see within this template is a set of defaults configured by OpenShift for each project that gets created. And what we want to achieve is that each newly created project has access to ImageStreams in acme-corp namespace. To grant that access we need to extend the system:image-pullers RoleBinding. This is basically the same activity show above: oc adm add-role-to-group ...

Here you see the complete RoleBinding configuration item including access to namespace acme-corp. You can find the complete project template as a gitlab snippet.

- kind: RoleBinding

  apiVersion: v1

  groupNames:

  - system:serviceaccounts:acme-corp // <1>

  - system:serviceaccounts:${PROJECT_NAME}

  metadata:

    name: system:image-pullers

    namespace: ${PROJECT_NAME}

  roleRef:

    name: system:image-puller

  subjects:

  - kind: SystemGroup

    name: system:serviceaccounts:${PROJECT_NAME}

  userNames: null

<1> this line has been added to the template

Next: oc replace -f acme-project-template.yaml to replace/update the template within OpenShift.

Halfway done - we only need to tell the OpenShift master to use this template for each newly created project. Keep in mind, if you are running more than one OpenShift Master, you need to do it on each master, as we will modify /etc/origin/master/master-config.yaml. And if you are using oc cluster up, there is no master-config.yaml on your local disk.

What we need to do is to replace the empty definition of {"projectConfig":{"projectRequestTemplate"}} with a value of "default/project-request".

I will leave it to the read how to achieve this goal in the most efficient way, maybe you use openshift-ansible or dsh… in the end, we need to reconfigure and restart all OpenShift Masters.

New Project defaults

Each project we create from now on will have access to ImageStreams within the acme-corp namespace. Let’s validate:

[goern]$ oc new-project is-testing

Now using project "is-testing" on server "https://openshift.example.com".

[...]

[goern]$ oc get is
 No resources found.


[goern]$ oc get is -n openshift
 NAME DOCKER REPO TAGS UPDATED
 dotnet 172.30.142.230:5000/openshift/dotnet latest,1.1,1.0 2 weeks ago
 fis-java-openshift registry.access.redhat.com/jboss-fuse-6/fis-java-openshift 1.0,1.0-10,1.0-11 + 2 more... 2 weeks ago
 fis-karaf-openshift registry.access.redhat.com/jboss-fuse-6/fis-karaf-openshift latest,2.0,1.0 + 2 more... 2 weeks ago
 jboss-amq-62 registry.access.redhat.com/jboss-amq-6/amq62-openshift 1.1,1.1-2,latest + 2 more... 2 weeks ago
 jboss-datagrid65-openshift registry.access.redhat.com/jboss-datagrid-6/datagrid65-openshift latest,1.2,1.2-13 + 2 more... 2 weeks ago
 jboss-datavirt63-openshift registry.access.redhat.com/jboss-datavirt-6/datavirt63-openshift latest,1.0,1.0-18 + 2 more... 2 weeks ago
 jboss-decisionserver62-openshift registry.access.redhat.com/jboss-decisionserver-6/decisionserver62-openshift latest,1.2,1.2-10 + 2 more... 2 weeks ago
 jboss-decisionserver63-openshift registry.access.redhat.com/jboss-decisionserver-6/decisionserver63-openshift 1.3-15,1.3-16,1.3-18 + 2 more... 2 weeks ago
 jboss-eap64-openshift registry.access.redhat.com/jboss-eap-6/eap64-openshift 1.3,1.2,1.1 + 2 more... 2 weeks ago
 jboss-eap70-openshift registry.access.redhat.com/jboss-eap-7/eap70-openshift latest,1.4,1.3 + 2 more... 2 weeks ago
 jboss-processserver63-openshift registry.access.redhat.com/jboss-processserver-6/processserver63-openshift 1.3,1.3-17,1.3-18 + 2 more... 2 weeks ago
 jboss-webserver30-tomcat7-openshift registry.access.redhat.com/jboss-webserver-3/webserver30-tomcat7-openshift 1.1,1.1-2,1.1-6 + 2 more... 2 weeks ago
 jboss-webserver30-tomcat8-openshift registry.access.redhat.com/jboss-webserver-3/webserver30-tomcat8-openshift latest,1.2,1.1 + 2 more... 2 weeks ago
 jenkins 172.30.142.230:5000/openshift/jenkins latest,2,1 2 weeks ago
 mariadb 172.30.142.230:5000/openshift/mariadb latest,10.1 2 weeks ago
 mongodb 172.30.142.230:5000/openshift/mongodb 2.6,2.4,latest + 1 more... 2 weeks ago
 mysql 172.30.142.230:5000/openshift/mysql 5.5,latest,5.7 + 1 more... 2 weeks ago
 nodejs 172.30.142.230:5000/openshift/nodejs 0.10,latest,4 2 weeks ago
 perl 172.30.142.230:5000/openshift/perl 5.24,5.20,5.16 + 1 more... 2 weeks ago
 php 172.30.142.230:5000/openshift/php latest,7.0,5.6 + 1 more... 2 weeks ago
 postgresql 172.30.142.230:5000/openshift/postgresql latest,9.5,9.4 + 1 more... 2 weeks ago
 python 172.30.142.230:5000/openshift/python latest,3.5,3.4 + 2 more... 2 weeks ago
 redhat-openjdk18-openshift registry.access.redhat.com/redhat-openjdk-18/openjdk18-openshift 1.0,1.0-2,latest 2 weeks ago
 redhat-sso70-openshift registry.access.redhat.com/redhat-sso-7/sso70-openshift latest,1.3,1.3-18 + 2 more... 2 weeks ago
 redis 172.30.142.230:5000/openshift/redis latest,3.2 2 weeks ago
 ruby 172.30.142.230:5000/openshift/ruby latest,2.3,2.2 + 1 more... 2 weeks ago


[goern]$ oc get is -n acme-corp
 NAME DOCKER REPO TAGS UPDATED
 redis 172.30.142.230:5000/acme-corp/redis latest 6 minutes ago

At this point, we are able to use the redis ImageStream out of acme-corp namespace. Well done.

Conclusion

By customizing OpenShift Master’s projectConfig, we can not only use a custom project template to grant access from newly created project to other namespaces per default, we can also set cluster-wide node selectors, or configure the level of overcommitment.

With the acme-corp namespace an organization can establish a trusted source for container images: declaring all images within this namespace to be maintained and supported by ACME Corp IT DevOps Team will give ACME Corp developers a more secure, stable and trusted environment to work in. Developers building on top of these images can expect high-quality content.

I consider this an organizational best practice.

Have Fun!

Categories

OpenShift Container Platform

< Back to the blog