K
Q

Permission denied pulling image from Red Hat Registry

9/30/2019

I am installing an application using an operator in my Openshift 4.1 cluster that needs access to pull images from the Red Hat registry. When I run the install from my project, the operator tries to pull an image from the Red Hat registry and I get a permission denied.

>oc project 3scale
>oc import-image amp-apicast --from=registry.redhat.io/3scale-amp26/apicast-gateway --confirm

Unable to sync image for tag amp-apicast:2.6. Internal error occurred: Get https://registry.redhat.io/v2/3scale-amp26/apicast-gateway/manifests/latest: unauthorized: Please login to the Red Hat Registry using your Customer Portal credentials. Further instructions can be found here: https://access.redhat.com/articles/3399531

But when I pull the images manually from the Openshift project in my cluster my pull secret from my openshift-config project is picked up and it downloads the image successfully.

>oc project openshift
>oc import-image amp-apicast --from=registry.redhat.io/3scale-amp26/apicast-gateway --confirm

What is the best way to make give my project access to be able to download images from the Red Hat registry? As I understand it copying the pull secret to my project is not the way to go about it.

thanks

-- Richie
kubernetes
openshift

Similar Questions

How to Pass Authorization Bearer Token in Websocket API
How to make same change across yaml file of all the deployments present in a namespace
How to deploy Akka Cluster to Kubernetes?
Unable to install Keda on AKS with helm
cert-manager get connection refused when challenge acme_dns01

1 Answer

9/30/2019

What is the best way to make give my project access to be able to download images > from the Red Hat registry? As I understand it copying the pull secret to my project is not the way to go about it.

If you can access here: https://access.redhat.com/articles/3399531, then you had better to create registry credential secret through Creating Registry Service Accounts steps. Image pulling could be enabled in openshift because of the kubernetes.io/dockerconfigjson type of registry credential secret.

e.g.>
# oc get secret -n openshift
NAME                       TYPE                                  DATA      AGE
imagestreamsecret          kubernetes.io/dockerconfigjson        1         25d
...

That type of secret is used by image pull credential secret automatically if that type secret is existing in the same namespace.

Further information is here Allowing Pods to Reference Images from Other Secured Registries for manual configuration steps.

$ oc create secret generic <pull_secret_name> \
    --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
    --type=kubernetes.io/dockerconfigjson

After creating the credential secret in your namespace, try to execute oc import-image. For testing, you can also copy the secret in openshift to your namespace. I hope it help you.

-- Daein Park
Source: StackOverflow