OpenShift - Sharing Common images
This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.
In OpenShift images (stored in the in-cluster registry) are protected by Kubernetes RBAC and by default only the namespace in which the image was built can access it.
For example if you build an image in
project-a can use that image, or build from it. If you wanted the default service account in
project-b to have access to the images in
project-a you would run the following.
oc policy add-role-to-user \
system:image-puller system:serviceaccount:project-b:default \
However if you had to do this for every namespace it could become quite combersome. Instead if you choose to have a set of common images in a
common-images namespace you could make them available to all authenticated users like so.
oc adm policy add-cluster-role-to-group system:image-puller \
oc adm policy add-role-to-group view system:authenticated \
Note: It’s important to understand and accept the security implications that come with this. If any Pod in the cluster is compromised it will have access to pull any images in this namespace.
See Global Image Puller for an example Kubernetes Controller that may allow for a more surgical (but still automated) way to grant access to images.