Description of problem: Image pull secrets not being read by service accounts properly. This results in an inability for serviceaccounts to pull images from other projects other than the openshift project. "rpc error: code = 2 desc = Error: image project1/example:v1 not found" docker logs show: OpenShift access denied: User \"system:anonymous\" cannot get imagestreams error authorizing context: access denied Version-Release number of selected component (if applicable): 3.7 How reproducible: Confirmed Steps to Reproduce: 1. Create two projects, "registry" and "prod" 2. Push an image into registry: docker-registry.default.svc:5000/registry/cyrax 3. Grant system:image-pullers role to the service accounts in prod: # oc adm add-role-to-group system:image-pullers system:serviceaccount:prod -n registry 4. Try to docker pull using their token or oc new-app, both fail 5. Now give them docker pull secret (for a user which has access to both projects): # oc login -u sektor # docker login -u sektor -p $(oc whoami -t) https://docker-registry.default.svc:5000 Then pulling from ~/.docker/config.json to create a secret: # oc secrets new my-secret .dockerconfigjson=config.json # oc secrets link builder my-secret # oc secrets link default my-secret # oc secrets link deployer my-secret # oc adm add-role-to-group system:image-pullers system:serviceaccount:prod -n registry # docker login -u serviceaccount -p $(oc sa get-token deployer) https://docker-registry.default.svc:5000 # docker pull docker-registry.default.svc:5000/registry/cyrax:latest ^that works! But oc new-app on that or other images in that project fails: 11s 11s 1 cyrax-1-5htvf Pod spec.containers{cyrax} Warning Failed kubelet, infra-0.sektor.quicklab.example.com Failed to pull image "docker-registry.default.svc:5000/registry/cyrax:latest": rpc error: code = 2 desc = Error: image registry/cyrax:latest not found Additional info: It appears this is reported here as well: https://github.com/openshift/origin/issues/17523
It looks like the root cause here is coming from https://bugzilla.redhat.com/show_bug.cgi?id=1531511. Jooho clearly stated the problem does not exist. Please ensure you're using the latest oc binary when creating the secrets.
Just to clarify, by "latest oc binary" do you mean 3.9 oc, or latest 3.7 binary (as customer is on 3.7 and this bug is filed for 3.7). Do we expect latest 3.7 binary to contain the fix? (Noting that the errata attached to 1531511 does NOT appear to contain any 3.7 packages)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2009