OpenShift provides a single namespace containing all the ImageStreams that could be considered part of the platform: all these images are maintained and provided by OpenShift Origin, CentOS, Software Collections Library or Red Hat.

One separate Namespace for your Images

It could be considered a good practice to separate all the ImageStreams provided by your own organization into one namespace, declaring them to be the "officially supported ACME Corp container images". Let’s call this namespace acme-corp throughout this article. These container images from acme-corp could be provided and maintained by ACME Corp’s IT DevOps Team. You can read more on the interfaces between Dev and Ops on the Red Hat Enterprise Linux Blog.

Accessing them just like they are from openshift namespace

OpenShift references Images (the OpenShift configuration item not the container image itself) in many situations: as part of a BuildConfig or as part of a DeploymentConfig, for example, to start a new deployment when an ImageChange trigger is received from an ImageStreamTag.

To receive these triggers, and to use/pull a container image from a different namespace, some configurations need to be done:

  • Project A (the project using the image from our officially supported ACME Corp container images namespace) must be authorized to pull images
  • Each project needs to be authorized to pull images from there

  • This configuration must be automated

Granting access from specific actions between namespaces could be accomplished by using oc adm add-role-to-group system:image-puller system:serviceaccounts:project-a -n acme-corp. This will enable project A to pull images from any ImageStream in namespace acme-corp. You might repeat that for each project that shall be allowed to access acme-corp, but if we assume that all projects shall be granted access to acme-corp ImageStream, a more elegant way is to modify the project template of OpenShift.

Configuring your Project Template

Modifying OpenShift’s template for projects is a simple operation:

  • a template must be created within the default namespace, and
  • the master must be reconfigured to use this template

So let’s see what the default project template looks like. It is embedded with OpenShift so we cannot find it somewhere on disk - we need to get it out and create a file to store it: oc adm create-bootstrap-project-template -o yaml > acme-project-template.yaml. To create (or later on replace) a template in OpenShift use oc create -f acme-project-template.yaml.

What you see within this template is a set of defaults configured by OpenShift for each project that gets created. And what we want to achieve is that each newly created project has access to ImageStreams in acme-corp namespace. To grant that access we need to extend the system:image-pullers RoleBinding. This is basically the same activity show above: oc adm add-role-to-group ...

Here you see the complete RoleBinding configuration item including access to namespace acme-corp. You can find the complete project template as a gitlab snippet.

- kind: RoleBinding
apiVersion: v1
- system:serviceaccounts:acme-corp // <1>
- system:serviceaccounts:${PROJECT_NAME}
name: system:image-pullers
namespace: ${PROJECT_NAME}
name: system:image-puller
- kind: SystemGroup
name: system:serviceaccounts:${PROJECT_NAME}
userNames: null

<1> this line has been added to the template

Next: oc replace -f acme-project-template.yaml to replace/update the template within OpenShift.

Halfway done - we only need to tell the OpenShift master to use this template for each newly created project. Keep in mind, if you are running more than one OpenShift Master, you need to do it on each master, as we will modify /etc/origin/master/master-config.yaml. And if you are using oc cluster up, there is no master-config.yaml on your local disk.

What we need to do is to replace the empty definition of {"projectConfig":{"projectRequestTemplate"}} with a value of "default/project-request".

I will leave it to the read how to achieve this goal in the most efficient way, maybe you use openshift-ansible or dsh… in the end, we need to reconfigure and restart all OpenShift Masters.

New Project defaults

Each project we create from now on will have access to ImageStreams within the acme-corp namespace. Let’s validate:

[goern]$ oc new-project is-testing
Now using project "is-testing" on server "".

[goern]$ oc get is
No resources found.

[goern]$ oc get is -n openshift
dotnet latest,1.1,1.0 2 weeks ago
fis-java-openshift 1.0,1.0-10,1.0-11 + 2 more... 2 weeks ago
fis-karaf-openshift latest,2.0,1.0 + 2 more... 2 weeks ago
jboss-amq-62 1.1,1.1-2,latest + 2 more... 2 weeks ago
jboss-datagrid65-openshift latest,1.2,1.2-13 + 2 more... 2 weeks ago
jboss-datavirt63-openshift latest,1.0,1.0-18 + 2 more... 2 weeks ago
jboss-decisionserver62-openshift latest,1.2,1.2-10 + 2 more... 2 weeks ago
jboss-decisionserver63-openshift 1.3-15,1.3-16,1.3-18 + 2 more... 2 weeks ago
jboss-eap64-openshift 1.3,1.2,1.1 + 2 more... 2 weeks ago
jboss-eap70-openshift latest,1.4,1.3 + 2 more... 2 weeks ago
jboss-processserver63-openshift 1.3,1.3-17,1.3-18 + 2 more... 2 weeks ago
jboss-webserver30-tomcat7-openshift 1.1,1.1-2,1.1-6 + 2 more... 2 weeks ago
jboss-webserver30-tomcat8-openshift latest,1.2,1.1 + 2 more... 2 weeks ago
jenkins latest,2,1 2 weeks ago
mariadb latest,10.1 2 weeks ago
mongodb 2.6,2.4,latest + 1 more... 2 weeks ago
mysql 5.5,latest,5.7 + 1 more... 2 weeks ago
nodejs 0.10,latest,4 2 weeks ago
perl 5.24,5.20,5.16 + 1 more... 2 weeks ago
php latest,7.0,5.6 + 1 more... 2 weeks ago
postgresql latest,9.5,9.4 + 1 more... 2 weeks ago
python latest,3.5,3.4 + 2 more... 2 weeks ago
redhat-openjdk18-openshift 1.0,1.0-2,latest 2 weeks ago
redhat-sso70-openshift latest,1.3,1.3-18 + 2 more... 2 weeks ago
redis latest,3.2 2 weeks ago
ruby latest,2.3,2.2 + 1 more... 2 weeks ago

[goern]$ oc get is -n acme-corp
redis latest 6 minutes ago

At this point, we are able to use the redis ImageStream out of acme-corp namespace. Well done.


By customizing OpenShift Master’s projectConfig, we can not only use a custom project template to grant access from newly created project to other namespaces per default, we can also set cluster-wide node selectors, or configure the level of overcommitment.

With the acme-corp namespace an organization can establish a trusted source for container images: declaring all images within this namespace to be maintained and supported by ACME Corp IT DevOps Team will give ACME Corp developers a more secure, stable and trusted environment to work in. Developers building on top of these images can expect high-quality content.

I consider this an organizational best practice.

Have Fun!


OpenShift Container Platform

< Back to the blog