-
Bug
-
Resolution: Not a Bug
-
Normal
-
None
-
4.18
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
CRI-O is not honouring the image-pull-secret provided through the ServiceAccount or the one defined directly in the deployment for containerRuntimeSearchRegistries
Version-Release number of selected component (if applicable):
4.x
How reproducible:
100%
Steps to Reproduce:
1- Update the images.config CR to add containerRuntimeSearchRegistries like below:
registrySources:
containerRuntimeSearchRegistries:
- reg1.io
- reg2.io
- reg3.io
2- Attach the image-pull-secret to the respective ServiceAcoount or directly to the deployment:
# oc create secret docker-registry registry2 --docker-server=<registry> --docker-username=<username> --docker-password=<password> --docker-email=<mail> # oc secrets link default registry2 --for=pull
3- deploy the application using the default ServiceAccount and see the pod is failing to pull the image with "not authorised"
Warning Failed 17s kubelet Error: ImagePullBackOff Normal Pulling 2s (x2 over 20s) kubelet Pulling image "redhat/ubi9:latest" Warning Failed 0s (x2 over 18s) kubelet Failed to pull image "redhat/ubi9:latest": reading manifest latest in quay.io/redhat/ubi9: unauthorized: access to the requested resource is not authorized Warning Failed 0s (x2 over 18s) kubelet Error: ErrImagePull
4- Try directly configure in the deployment and see still its failing with "not authorized"
spec:
containers:
- image: redhat/ubi9:latest
imagePullPolicy: Always
name: httpd
ports:
- containerPort: 8080
protocol: TCP
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: true
runAsUser: 1000700000
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-hf7hf
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
imagePullSecrets:
- name: registry2
Warning Failed 17s kubelet Error: ImagePullBackOff Normal Pulling 2s (x2 over 20s) kubelet Pulling image "redhat/ubi9:latest" Warning Failed 0s (x2 over 18s) kubelet Failed to pull image "redhat/ubi9:latest": reading manifest latest in quay.io/redhat/ubi9: unauthorized: access to the requested resource is not authorized Warning Failed 0s (x2 over 18s) kubelet Error: ErrImagePull
Try to update the registryb credential in global pull-secret, then all will start working as expected. so it seems like CRI-O is not honouring the image-pull-secret provided through the ServiceAccount or the one defined directly in the deployment for containerRuntimeSearchRegistries.
i believe may be the RFE https://issues.redhat.com/browse/OCPSTRAT-2233 will fix this issue as well.?
Actual results:
CRI-O is not honouring the image-pull-secret provided through the ServiceAccount or the one defined directly in the deployment for containerRuntimeSearchRegistries.
Expected results:
CRI-O is shoud honouring the image-pull-secret provided through the ServiceAccount or the one defined directly in the deployment for containerRuntimeSearchRegistries.
Additional info:
