Cloud Experts Documentation

OpenShift - Sharing Common images

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

In OpenShift images (stored in the in-cluster registry) are protected by Kubernetes RBAC and by default only the namespace in which the image was built can access it.

For example if you build an image in project-a only project-a can use that image, or build from it. If you wanted the default service account in project-b to have access to the images in project-a you would run the following.

oc policy add-role-to-user \
    system:image-puller system:serviceaccount:project-b:default \

However if you had to do this for every namespace it could become quite combersome. Instead if you choose to have a set of common images in a common-images namespace you could make them available to all authenticated users like so.

oc adm policy add-cluster-role-to-group system:image-puller \
  system:authenticated --namespace=common-images

oc adm policy add-role-to-group view system:authenticated \
  -n common-images

Note: It’s important to understand and accept the security implications that come with this. If any Pod in the cluster is compromised it will have access to pull any images in this namespace.

See Global Image Pullerexternal link (opens in new tab) for an example Kubernetes Controller that may allow for a more surgical (but still automated) way to grant access to images.

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter



Try, buy & sell


About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.