Details
-
Task
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
False
-
False
-
Undefined
-
0
Description
Quay robot tokens do not span organizations. Some users however do want to pull across organizations using robot tokens. OpenShift permits multiple namespaces to be provided within a `dockerconfigjson` secret so this can theoretically be done via a single service account. For example:
{
"auths": {
"quay.io/org1":
{ "auth": "super secret", "email": "" }
,
"quay.io/org2":
{ "auth": "even more secret", "email": "" }
,
"quay.io/org3":
{ "auth": "oh-la-la-dont-look", "email": "" }
}
}
The single SA can then be used across Kube namespaces as needed to overcome the token scoping limitation. Docs should reflect this technique as a workaround for robot token scoping within a single namespace.
See comment below for email thread discussion.