×

Image streams, being Red Hat OpenShift Service on AWS native resources, work with all native resources available in Red Hat OpenShift Service on AWS, such as Build or DeploymentConfigs resources. It is also possible to make them work with native Kubernetes resources, such as Job, ReplicationController, ReplicaSet or Kubernetes Deployment resources.

Enabling image streams with Kubernetes resources

When using image streams with Kubernetes resources, you can only reference image streams that reside in the same project as the resource. The image stream reference must consist of a single segment value, for example ruby:2.5, where ruby is the name of an image stream that has a tag named 2.5 and resides in the same project as the resource making the reference.

Do not run workloads in or share access to default projects. Default projects are reserved for running core cluster components.

The following default projects are considered highly privileged: default, kube-public, kube-system, openshift, openshift-infra, openshift-node, and other system-created projects that have the openshift.io/run-level label set to 0 or 1. Functionality that relies on admission plugins, such as pod security admission, security context constraints, cluster resource quotas, and image reference resolution, does not work in highly privileged projects.

There are two ways to enable image streams with Kubernetes resources:

  • Enabling image stream resolution on a specific resource. This allows only this resource to use the image stream name in the image field.

  • Enabling image stream resolution on an image stream. This allows all resources pointing to this image stream to use it in the image field.

Procedure

You can use oc set image-lookup to enable image stream resolution on a specific resource or image stream resolution on an image stream.

  1. To allow all resources to reference the image stream named mysql, enter the following command:

    $ oc set image-lookup mysql

    This sets the Imagestream.spec.lookupPolicy.local field to true.

    Imagestream with image lookup enabled
    apiVersion: image.openshift.io/v1
    kind: ImageStream
    metadata:
      annotations:
        openshift.io/display-name: mysql
      name: mysql
      namespace: myproject
    spec:
      lookupPolicy:
        local: true

    When enabled, the behavior is enabled for all tags within the image stream.

  2. Then you can query the image streams and see if the option is set:

    $ oc set image-lookup imagestream --list

You can enable image lookup on a specific resource.

  • To allow the Kubernetes deployment named mysql to use image streams, run the following command:

    $ oc set image-lookup deploy/mysql

    This sets the alpha.image.policy.openshift.io/resolve-names annotation on the deployment.

    Deployment with image lookup enabled
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: mysql
      namespace: myproject
    spec:
      replicas: 1
      template:
        metadata:
          annotations:
            alpha.image.policy.openshift.io/resolve-names: '*'
        spec:
          containers:
          - image: mysql:latest
            imagePullPolicy: Always
            name: mysql

You can disable image lookup.

  • To disable image lookup, pass --enabled=false:

    $ oc set image-lookup deploy/mysql --enabled=false