+++ This bug was initially created as a clone of Bug #1795144 +++
Description of problem:
Adding a default pull secret for a namespace using the UI doesn't link it with the "default" service account for pulling images.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a namespace using the UI
2. Add to it a default pull secret using https://console-openshift-console.apps.<cluster>.<subdomain>/k8s/cluster/namespaces/<namespace>
3. Deploy an image which requires the pull secret
The pull secret should be used for pulling as the text in the UI writes clearly: "Specify default credentials to be used to authenticate and download containers within this namespace. These credentials will be the default unless a pod references a specific pull secret."
--- Additional comment from Sergio G. on 2020-01-27 09:26:22 UTC ---
Version-Release in the description is wrong.
I've confirmed this bug in 4.2.14.
--- Additional comment from Jakub Hadvig on 2020-01-28 12:53:08 UTC ---
Was trying to reproduce this issue on both 4.4. and 4.2 cluster but without any luck.
After I added the "Default Pull Secret"to the namespace I was able to find and also
deploy the private image without any issues.
--- Additional comment from Sergio G. on 2020-01-28 13:45:20 UTC ---
Can you confirm if the secret is shown in "oc describe sa default" as used for pulling images?
It wasn't there for me until I linked it manually.
--- Additional comment from XiaochuanWang on 2020-02-04 03:39:53 UTC ---
Tested on 4.4.0-0.nightly-2020-02-02-225006
After Project created, sa "default" is as below:
$ oc describe sa default
Image pull secrets: default-dockercfg-4vsq7
Mountable secrets: default-token-9lkgk
Image app using Deployment by "default-token-9lkgk" is failed.
Image app using DC by "default-dockercfg-4vsq7" could succeed.
As per my understanding, It needs a message such as the description "Expected results:" said.
Does image app must use the correct secret (which is "Image pull secrets") from SA "default"? Is that another bug?
Please notice the Target Release is still `--`
--- Additional comment from Jakub Hadvig on 2020-02-04 15:32:16 UTC ---
Was able to reproduce the issue and about to sent fix.
--- Additional comment from Yadan Pei on 2020-02-06 09:42:08 UTC ---
1. Add a default pull secret to namespace by following steps
Administration -> Namespaces -> yapei-1 -> click edit icon in Default Pull Secret -> add credentials used to pull private image from dockerhub, create
2. A secret 'yapei-dp' is created in namespace
$ oc get secret
NAME TYPE DATA AGE
yapei-dp kubernetes.io/dockerconfigjson 1 6m9s
3. Check sa/default, the added pull secret is not linked to sa/default
$ oc describe sa default
Image pull secrets: default-dockercfg-wfs66
Mountable secrets: default-token-p5kvs
4. Deploy a DeploymentConfig from private image, the image can be searched in Deploy Image catalog and DC is created successfully, but pods can't be running
$ oc get pods
NAME READY STATUS RESTARTS AGE
wordpress-1-deploy 1/1 Running 0 7m37s
wordpress-1-kh4m8 0/1 ImagePullBackOff 0 7m28s
$ oc describe pod wordpress-1-kh4m8
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled <unknown> default-scheduler Successfully assigned yapei-1/wordpress-1-kh4m8 to ip-10-0-134-11.us-east-2.compute.internal
Warning Failed 6m53s (x6 over 8m7s) kubelet, ip-10-0-134-11.us-east-2.compute.internal Error: ImagePullBackOff
Normal Pulling 6m40s (x4 over 8m8s) kubelet, ip-10-0-134-11.us-east-2.compute.internal Pulling image "yapei/wordpress@sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940"
Warning Failed 6m39s (x4 over 8m7s) kubelet, ip-10-0-134-11.us-east-2.compute.internal Failed to pull image "yapei/wordpress@sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940": rpc error: code = Unknown desc = Error reading manifest sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940 in docker.io/yapei/wordpress: errors:
denied: requested access to the resource is denied
unauthorized: authentication required
Warning Failed 6m39s (x4 over 8m7s) kubelet, ip-10-0-134-11.us-east-2.compute.internal Error: ErrImagePull
Normal BackOff 3m5s (x21 over 8m7s) kubelet, ip-10-0-134-11.us-east-2.compute.internal Back-off pulling image "yapei/wordpress@sha256:92f7a99d237efd588d8e4ddc11e938049ce38816084e35a31a42e8c3cd98a940"
This issue is reproduced on 4.4.0-0.nightly-2020-02-05-220946
Verified on 4.3.0-0.nightly-2020-02-27-225047
After created and added a secret "imagepullsec" to default SA:
xiaocwan ~$ oc describe sa default
Image pull secrets: default-dockercfg-ndk5x
Mountable secrets: default-token-w2c2m
Then deploy image by DC (or Deployment), it'll use "Image pull secrets" correctly for pods and containers
- name: default-dockercfg-ndk5x
- name: imagepullsec
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.