Bug 1506138

Summary: document best practice of using fully qualified images names in pod specs, kubelet does not use additional registries
Product: OpenShift Container Platform Reporter: Johnny Liu <jialiu>
Component: DocumentationAssignee: Vikram Goyal <vigoyal>
Status: CLOSED DEFERRED QA Contact: Vikram Goyal <vigoyal>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.7.0CC: aos-bugs, chaoyang, jhonce, jialiu, jokerman, mitr, mmccomas, sdodson
Target Milestone: ---   
Target Release: 3.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-20 18:52:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Johnny Liu 2017-10-25 08:56:44 UTC 
Maybe this bug should be moved to other component, but not installer, if yes, pls feel free to move it.
Comment 2 Scott Dodson 2017-10-25 14:32:34 UTC 
I believe this is expected and it's the reason that we've been discouraging the use of additional registries in favor of using explicit image references in all places.

Moving to containers team to confirm that this is intentional and if that's so I guess we should treat this as a documentation bug that we should push people to use a fully qualified image format string.
Comment 5 Scott Dodson 2017-10-27 12:51:57 UTC 
Sorry, to clarify what's happening is that they're creating a pod from an image that's only available from an authenticated registry, in this case "openshift3/ose-docker-registry:v3.7.0-0.176.0".

registry.reg-aws.openshift.com requires authentication and has been added to docker using '--add-registry'

Now, one thing i missed is that they said from the command line 'docker pull openshift3/ose-docker-registry:v3.7.0-0.176.0" works as expected, however when the kubelet attempts to pull the image it doesn't present credentials to the registry unless it uses the fully qualified "registry.reg-aws.openshift.com/openshift3/ose-docker-registry:v3.7.0-0.176.0"

So this might be the kubelet rather than docker?
Comment 11 Seth Jennings 2017-10-30 18:19:16 UTC 
Agreed, moving to Documentation.
Comment 13 Stephen Cuppett 2019-11-20 18:52:03 UTC 
OCP 3.6-3.10 is no longer on full support [1]. Marking CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Target Release to the appropriate version where needed.

[1]: https://access.redhat.com/support/policy/updates/openshift