Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.16.z
Component/s: ImageStreams
Labels:
None

Activity Type:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:
None
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

With ImageTagMirrorSet defined in the cluster, the import on an imagestream fails to redirect the import to be done from the mirror registry.

Version-Release number of selected component (if applicable):

How reproducible:

    Always

Define the ImageTagMirror set as below with `NeverContactSource` mirrorSourcePolicy:

apiVersion: config.openshift.io/v1 
kind: ImageTagMirrorSet
metadata:
  name: app-tag-mirror
spec:
  imageTagMirrors:
  - source: docker.io
    mirrors:
    - <mirror-registry>
    mirrorSourcePolicy: NeverContactSource

2. Import the image using below command:

oc import-image test:latest --from=docker.io/<any-image> --confirm

Actual results: The import on imagestream fails with below error:
  tags:
  - conditions:
    - generation: 1
      lastTransitionTime: "2025-11-30T15:27:23Z"
      message: 'forbidden: registry docker.io blocked'
      reason: Forbidden
      status: "False"
      type: ImportSuccess
    items: null
    tag: latest

Expected results:

    The import succeeds from the mirror registry defined.

Additional info:

Assignee:: Flavian Missi

Reporter:: Jyotsana Arora

Need Info From:: None

Contributors:: None

QA Contact:: XiuJuan Wang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/11/30 4:34 PM

Updated:: 2025/12/01 10:20 AM