×

Why use imagestreams

An image stream and its associated tags provide an abstraction for referencing container images from within OpenShift Dedicated. The image stream and its tags allow you to see what images are available and ensure that you are using the specific image you need even if the image in the repository changes.

Image streams do not contain actual image data, but present a single virtual view of related images, similar to an image repository.

You can configure builds and deployments to watch an image stream for notifications when new images are added and react by performing a build or deployment, respectively.

For example, if a deployment is using a certain image and a new version of that image is created, a deployment could be automatically performed to pick up the new version of the image.

However, if the image stream tag used by the deployment or build is not updated, then even if the container image in the container image registry is updated, the build or deployment continues using the previous, presumably known good image.

The source images can be stored in any of the following:

  • OpenShift Dedicated’s integrated registry.

  • An external registry, for example registry.redhat.io or quay.io.

  • Other image streams in the OpenShift Dedicated cluster.

When you define an object that references an image stream tag, such as a build or deployment configuration, you point to an image stream tag and not the repository. When you build or deploy your application, OpenShift Dedicated queries the repository using the image stream tag to locate the associated ID of the image and uses that exact image.

The image stream metadata is stored in the etcd instance along with other cluster information.

Using image streams has several significant benefits:

  • You can tag, rollback a tag, and quickly deal with images, without having to re-push using the command line.

  • You can trigger builds and deployments when a new image is pushed to the registry. Also, OpenShift Dedicated has generic triggers for other resources, such as Kubernetes objects.

  • You can mark a tag for periodic re-import. If the source image has changed, that change is picked up and reflected in the image stream, which triggers the build or deployment flow, depending upon the build or deployment configuration.

  • You can share images using fine-grained access control and quickly distribute images across your teams.

  • If the source image changes, the image stream tag still points to a known-good version of the image, ensuring that your application do not break unexpectedly.

  • You can configure security around who can view and use the images through permissions on the image stream objects.

  • Users that lack permission to read or list images on the cluster level can still retrieve the images tagged in a project using image streams.

Configuring image streams

An ImageStream object file contains the following elements.

Imagestream object definition
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftNewApp
  labels:
    app: ruby-sample-build
    template: application-template-stibuild
  name: origin-ruby-sample (1)
  namespace: test
spec: {}
status:
  dockerImageRepository: 172.30.56.218:5000/test/origin-ruby-sample (2)
  tags:
  - items:
    - created: 2017-09-02T10:15:09Z
      dockerImageReference: 172.30.56.218:5000/test/origin-ruby-sample@sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d (3)
      generation: 2
      image: sha256:909de62d1f609a717ec433cc25ca5cf00941545c83a01fb31527771e1fab3fc5 (4)
    - created: 2017-09-01T13:40:11Z
      dockerImageReference: 172.30.56.218:5000/test/origin-ruby-sample@sha256:909de62d1f609a717ec433cc25ca5cf00941545c83a01fb31527771e1fab3fc5
      generation: 1
      image: sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d
    tag: latest (5)
1 The name of the image stream.
2 Docker repository path where new images can be pushed to add or update them in this image stream.
3 The SHA identifier that this image stream tag currently references. Resources that reference this image stream tag use this identifier.
4 The SHA identifier that this image stream tag previously referenced. Can be used to rollback to an older image.
5 The image stream tag name.

Image stream images

An image stream image points from within an image stream to a particular image ID.

Image stream images allow you to retrieve metadata about an image from a particular image stream where it is tagged.

Image stream image objects are automatically created in OpenShift Dedicated whenever you import or tag an image into the image stream. You should never have to explicitly define an image stream image object in any image stream definition that you use to create image streams.

The image stream image consists of the image stream name and image ID from the repository, delimited by an @ sign:

<image-stream-name>@<image-id>

To refer to the image in the ImageStream object example, the image stream image looks like:

origin-ruby-sample@sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d

Image stream tags

An image stream tag is a named pointer to an image in an image stream. It is abbreviated as istag. An image stream tag is used to reference or retrieve an image for a given image stream and tag.

Image stream tags can reference any local or externally managed image. It contains a history of images represented as a stack of all images the tag ever pointed to. Whenever a new or existing image is tagged under particular image stream tag, it is placed at the first position in the history stack. The image previously occupying the top position is available at the second position. This allows for easy rollbacks to make tags point to historical images again.

The following image stream tag is from an ImageStream object:

Image stream tag with two images in its history
kind: ImageStream
apiVersion: image.openshift.io/v1
metadata:
  name: my-image-stream
# ...
  tags:
  - items:
    - created: 2017-09-02T10:15:09Z
      dockerImageReference: 172.30.56.218:5000/test/origin-ruby-sample@sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d
      generation: 2
      image: sha256:909de62d1f609a717ec433cc25ca5cf00941545c83a01fb31527771e1fab3fc5
    - created: 2017-09-01T13:40:11Z
      dockerImageReference: 172.30.56.218:5000/test/origin-ruby-sample@sha256:909de62d1f609a717ec433cc25ca5cf00941545c83a01fb31527771e1fab3fc5
      generation: 1
      image: sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d
    tag: latest
# ...

Image stream tags can be permanent tags or tracking tags.

  • Permanent tags are version-specific tags that point to a particular version of an image, such as Python 3.5.

  • Tracking tags are reference tags that follow another image stream tag and can be updated to change which image they follow, like a symlink. These new levels are not guaranteed to be backwards-compatible.

    For example, the latest image stream tags that ship with OpenShift Dedicated are tracking tags. This means consumers of the latest image stream tag are updated to the newest level of the framework provided by the image when a new level becomes available. A latest image stream tag to v3.10 can be changed to v3.11 at any time. It is important to be aware that these latest image stream tags behave differently than the Docker latest tag. The latest image stream tag, in this case, does not point to the latest image in the Docker repository. It points to another image stream tag, which might not be the latest version of an image. For example, if the latest image stream tag points to v3.10 of an image, when the 3.11 version is released, the latest tag is not automatically updated to v3.11, and remains at v3.10 until it is manually updated to point to a v3.11 image stream tag.

    Tracking tags are limited to a single image stream and cannot reference other image streams.

You can create your own image stream tags for your own needs.

The image stream tag is composed of the name of the image stream and a tag, separated by a colon:

<imagestream name>:<tag>

For example, to refer to the sha256:47463d94eb5c049b2d23b03a9530bf944f8f967a0fe79147dd6b9135bf7dd13d image in the ImageStream object example earlier, the image stream tag would be:

origin-ruby-sample:latest

Image stream change triggers

Image stream triggers allow your builds and deployments to be automatically invoked when a new version of an upstream image is available.

For example, builds and deployments can be automatically started when an image stream tag is modified. This is achieved by monitoring that particular image stream tag and notifying the build or deployment when a change is detected.

Working with image streams

The following sections describe how to use image streams and image stream tags.

Do not run workloads in or share access to default projects. Default projects are reserved for running core cluster components.

The following default projects are considered highly privileged: default, kube-public, kube-system, openshift, openshift-infra, openshift-node, and other system-created projects that have the openshift.io/run-level label set to 0 or 1. Functionality that relies on admission plugins, such as pod security admission, security context constraints, cluster resource quotas, and image reference resolution, does not work in highly privileged projects.

Getting information about image streams

You can get general information about the image stream and detailed information about all the tags it is pointing to.

Procedure
  • To get general information about the image stream and detailed information about all the tags it is pointing to, enter the following command:

    $ oc describe is/<image-name>

    For example:

    $ oc describe is/python
    Example output
    Name:			python
    Namespace:		default
    Created:		About a minute ago
    Labels:			<none>
    Annotations:		openshift.io/image.dockerRepositoryCheck=2017-10-02T17:05:11Z
    Docker Pull Spec:	docker-registry.default.svc:5000/default/python
    Image Lookup:		local=false
    Unique Images:		1
    Tags:			1
    
    3.5
      tagged from centos/python-35-centos7
    
      * centos/python-35-centos7@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
          About a minute ago
  • To get all of the information available about a particular image stream tag, enter the following command:

    $ oc describe istag/<image-stream>:<tag-name>

    For example:

    $ oc describe istag/python:latest
    Example output
    Image Name:	sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
    Docker Image:	centos/python-35-centos7@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
    Name:		sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
    Created:	2 minutes ago
    Image Size:	251.2 MB (first layer 2.898 MB, last binary layer 72.26 MB)
    Image Created:	2 weeks ago
    Author:		<none>
    Arch:		amd64
    Entrypoint:	container-entrypoint
    Command:	/bin/sh -c $STI_SCRIPTS_PATH/usage
    Working Dir:	/opt/app-root/src
    User:		1001
    Exposes Ports:	8080/tcp
    Docker Labels:	build-date=20170801

    More information is output than shown.

  • Enter the following command to discover which architecture or operating system that an image stream tag supports:

    $ oc get istag <image-stream-tag> -ojsonpath="{range .image.dockerImageManifests[*]}{.os}/{.architecture}{'\n'}{end}"

    For example:

    $ oc get istag busybox:latest -ojsonpath="{range .image.dockerImageManifests[*]}{.os}/{.architecture}{'\n'}{end}"
    Example output
    linux/amd64
    linux/arm
    linux/arm64
    linux/386
    linux/mips64le
    linux/ppc64le
    linux/riscv64
    linux/s390x

Adding tags to an image stream

You can add additional tags to image streams.

Procedure
  • Add a tag that points to one of the existing tags by using the `oc tag`command:

    $ oc tag <image-name:tag1> <image-name:tag2>

    For example:

    $ oc tag python:3.5 python:latest
    Example output
    Tag python:latest set to python@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25.
  • Confirm the image stream has two tags, one, 3.5, pointing at the external container image and another tag, latest, pointing to the same image because it was created based on the first tag.

    $ oc describe is/python
    Example output
    Name:			python
    Namespace:		default
    Created:		5 minutes ago
    Labels:			<none>
    Annotations:		openshift.io/image.dockerRepositoryCheck=2017-10-02T17:05:11Z
    Docker Pull Spec:	docker-registry.default.svc:5000/default/python
    Image Lookup:		local=false
    Unique Images:		1
    Tags:			2
    
    latest
      tagged from python@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
    
      * centos/python-35-centos7@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
          About a minute ago
    
    3.5
      tagged from centos/python-35-centos7
    
      * centos/python-35-centos7@sha256:49c18358df82f4577386404991c51a9559f243e0b1bdc366df25
          5 minutes ago

Adding tags for an external image

You can add tags for external images.

Procedure
  • Add tags pointing to internal or external images, by using the oc tag command for all tag-related operations:

    $ oc tag <repository/image> <image-name:tag>

    For example, this command maps the docker.io/python:3.6.0 image to the 3.6 tag in the python image stream.

    $ oc tag docker.io/python:3.6.0 python:3.6
    Example output
    Tag python:3.6 set to docker.io/python:3.6.0.

    If the external image is secured, you must create a secret with credentials for accessing that registry.

Updating image stream tags

You can update a tag to reflect another tag in an image stream.

Procedure
  • Update a tag:

    $ oc tag <image-name:tag> <image-name:latest>

    For example, the following updates the latest tag to reflect the 3.6 tag in an image stream:

    $ oc tag python:3.6 python:latest
    Example output
    Tag python:latest set to python@sha256:438208801c4806548460b27bd1fbcb7bb188273d13871ab43f.

Removing image stream tags

You can remove old tags from an image stream.

Procedure
  • Remove old tags from an image stream:

    $ oc tag -d <image-name:tag>

    For example:

    $ oc tag -d python:3.6
    Example output
    Deleted tag default/python:3.6

See Removing deprecated image stream tags from the Cluster Samples Operator for more information on how the Cluster Samples Operator handles deprecated image stream tags.

Configuring periodic importing of image stream tags

When working with an external container image registry, to periodically re-import an image, for example to get latest security updates, you can use the --scheduled flag.

Procedure
  1. Schedule importing images:

    $ oc tag <repository/image> <image-name:tag> --scheduled

    For example:

    $ oc tag docker.io/python:3.6.0 python:3.6 --scheduled
    Example output
    Tag python:3.6 set to import docker.io/python:3.6.0 periodically.

    This command causes OpenShift Dedicated to periodically update this particular image stream tag. This period is a cluster-wide setting set to 15 minutes by default.

  2. Remove the periodic check, re-run above command but omit the --scheduled flag. This will reset its behavior to default.

    $ oc tag <repositiory/image> <image-name:tag>

Importing and working with images and image streams

The following sections describe how to import, and work with, image streams.

Importing images and image streams from private registries

An image stream can be configured to import tag and image metadata from private image registries requiring authentication. This procedures applies if you change the registry that the Cluster Samples Operator uses to pull content from to something other than registry.redhat.io.

When importing from insecure or secure registries, the registry URL defined in the secret must include the :80 port suffix or the secret is not used when attempting to import from the registry.

Procedure
  1. You must create a secret object that is used to store your credentials by entering the following command:

    $ oc create secret generic <secret_name> --from-file=.dockerconfigjson=<file_absolute_path> --type=kubernetes.io/dockerconfigjson
  2. After the secret is configured, create the new image stream or enter the oc import-image command:

    $ oc import-image <imagestreamtag> --from=<image> --confirm

    During the import process, OpenShift Dedicated picks up the secrets and provides them to the remote party.

Allowing pods to reference images from other secured registries

The .dockercfg $HOME/.docker/config.json file for Docker clients is a Docker credentials file that stores your authentication information if you have previously logged into a secured or insecure registry.

To pull a secured container image that is not from OpenShift image registry, you must create a pull secret from your Docker credentials and add it to your service account.

The Docker credentials file and the associated pull secret can contain multiple references to the same registry, each with its own set of credentials.

Example config.json file
{
   "auths":{
      "cloud.openshift.com":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      },
      "quay.io":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      },
      "quay.io/repository-main":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      }
   }
}
Example pull secret
apiVersion: v1
data:
  .dockerconfigjson: ewogICAiYXV0aHMiOnsKICAgICAgIm0iOnsKICAgICAgIsKICAgICAgICAgImF1dGgiOiJiM0JsYj0iLAogICAgICAgICAiZW1haWwiOiJ5b3VAZXhhbXBsZS5jb20iCiAgICAgIH0KICAgfQp9Cg==
kind: Secret
metadata:
  creationTimestamp: "2021-09-09T19:10:11Z"
  name: pull-secret
  namespace: default
  resourceVersion: "37676"
  uid: e2851531-01bc-48ba-878c-de96cfe31020
type: Opaque
Procedure
  • If you already have a .dockercfg file for the secured registry, you can create a secret from that file by running:

    $ oc create secret generic <pull_secret_name> \
        --from-file=.dockercfg=<path/to/.dockercfg> \
        --type=kubernetes.io/dockercfg
  • Or if you have a $HOME/.docker/config.json file:

    $ oc create secret generic <pull_secret_name> \
        --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
        --type=kubernetes.io/dockerconfigjson
  • If you do not already have a Docker credentials file for the secured registry, you can create a secret by running:

    $ oc create secret docker-registry <pull_secret_name> \
        --docker-server=<registry_server> \
        --docker-username=<user_name> \
        --docker-password=<password> \
        --docker-email=<email>
  • To use a secret for pulling images for pods, you must add the secret to your service account. The name of the service account in this example should match the name of the service account the pod uses. The default service account is default:

    $ oc secrets link default <pull_secret_name> --for=pull

Working with manifest lists

You can import a single sub-manifest, or all manifests, of a manifest list when using oc import-image or oc tag CLI commands by adding the --import-mode flag.

Refer to the commands below to create an image stream that includes a single sub-manifest or multi-architecture images.

Procedure
  • Create an image stream that includes multi-architecture images, and sets the import mode to PreserveOriginal, by entering the following command:

    $ oc import-image <multiarch-image-stream-tag>  --from=<registry>/<project_name>/<image-name> \
    --import-mode='PreserveOriginal' --reference-policy=local --confirm
    Example output
    ---
    Arch:           <none>
    Manifests:      linux/amd64     sha256:6e325b86566fafd3c4683a05a219c30c421fbccbf8d87ab9d20d4ec1131c3451
                    linux/arm64     sha256:d8fad562ffa75b96212c4a6dc81faf327d67714ed85475bf642729703a2b5bf6
                    linux/ppc64le   sha256:7b7e25338e40d8bdeb1b28e37fef5e64f0afd412530b257f5b02b30851f416e1
    ---
  • Alternatively, enter the following command to import an image with the Legacy import mode, which discards manifest lists and imports a single sub-manifest:

    $ oc import-image <multiarch-image-stream-tag>  --from=<registry>/<project_name>/<image-name> \
    --import-mode='Legacy' --confirm

    The --import-mode= default value is Legacy. Excluding this value, or failing to specify either Legacy or PreserveOriginal, imports a single sub-manifest. An invalid import mode returns the following error: error: valid ImportMode values are Legacy or PreserveOriginal.

Limitations

Working with manifest lists has the following limitations:

  • In some cases, users might want to use sub-manifests directly. When oc adm prune images is run, or the CronJob pruner runs, they cannot detect when a sub-manifest list is used. As a result, an administrator using oc adm prune images, or the CronJob pruner, might delete entire manifest lists, including sub-manifests.

    To avoid this limitation, you can use the manifest list by tag or by digest instead.

Configuring periodic importing of manifest lists

To periodically re-import a manifest list, you can use the --scheduled flag.

Procedure
  • Set the image stream to periodically update the manifest list by entering the following command:

    $ oc import-image <multiarch-image-stream-tag>  --from=<registry>/<project_name>/<image-name> \
    --import-mode='PreserveOriginal' --scheduled=true

Configuring SSL/TSL when importing manifest lists

To configure SSL/TSL when importing a manifest list, you can use the --insecure flag.

Procedure
  • Set --insecure=true so that importing a manifest list skips SSL/TSL verification. For example:

    $ oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name> \
    --import-mode='PreserveOriginal' --insecure=true

Specifying architecture for --import-mode

You can swap your imported image stream between multi-architecture and single architecture by excluding or including the --import-mode= flag

Procedure
  • Run the following command to update your image stream from multi-architecture to single architecture by excluding the --import-mode= flag:

    $ oc import-image <multiarch-image-stream-tag> --from=<registry>/<project_name>/<image-name>
  • Run the following command to update your image stream from single-architecture to multi-architecture:

    $ oc import-image <multiarch-image-stream-tag>  --from=<registry>/<project_name>/<image-name> \
    --import-mode='PreserveOriginal'

Configuration fields for --import-mode

The following table describes the options available for the --import-mode= flag:

Parameter Description

Legacy

The default option for --import-mode. When specified, the manifest list is discarded, and a single sub-manifest is imported. The platform is chosen in the following order of priority:

  1. Tag annotations

  2. Control plane architecture

  3. Linux/AMD64

  4. The first manifest in the list

PreserveOriginal

When specified, the original manifest is preserved. For manifest lists, the manifest list and all of its sub-manifests are imported.