Description of problem: As stated on this comment [1] and described by myself on this KCS article [2], on a cluster with ImageContentSourcePolicy [3] set, only global pull secrets [4] can be created. They cannot be added into a project [5]. Steps to Reproduce: 1. Configure ImageContentSourcePolicy in a cluster. 2. Add a pull secret into a project by linking it to its "default" service account. 3. Inside the project, try to pull images from the registry related to the new pull secret. Actual results: - ImagePullBackOff error. Expected results: - The images are pulled correctly If this is considered a normal behaviour, please kindly move this bug to Documentation because I think this should be explained. In that case, Documentation Team could use my KCS article as a reference. [1] https://github.com/openshift/openshift-docs/issues/19440 [2] https://access.redhat.com/solutions/5499981 [3] https://docs.openshift.com/container-platform/4.4/openshift_images/image-configuration.html#images-configuration-registry-mirror_image-configuration [4] https://docs.openshift.com/container-platform/4.4/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets [5] https://docs.openshift.com/container-platform/4.4/openshift_images/managing_images/using-image-pull-secrets.html#images-allow-pods-to-reference-images-from-secure-registries_using-image-pull-secrets
Hi Lucas, Just to clarify, where are you pulling the image from? Is it from one of the mirrors your configured via ICSP, or is it from the original location that you are mirroring? If it is from one of the mirrors, only the global pull secret will work.
Hi, Urvashi. The user affected has confirmed that, indeed, they were using mirrors via ICSP.
Thanks for confirming that Lucas. In that case, this is not a bug. It just needs to be documented better, so moving over to the docs team.
Urvashi and Lucas -- I added a note to several places in the docs. Please take a look. Is the note OK and do we need it in all of the locations in the docs? Are there any others? Note: In a cluster with an `ImageContentSourcePolicy` object, only global pull secrets can be configured for mirrored registries. You cannot add a pull secret to a project. https://github.com/openshift/openshift-docs/pull/31968 Thank you! Michael
Hi, Michael. I find it fine. You can also add the following links as a reference: https://docs.openshift.com/container-platform/latest/rest_api/operator_apis/imagecontentsourcepolicy-operator-openshift-io-v1alpha1.html https://docs.openshift.com/container-platform/latest/openshift_images/image-configuration.html#images-configuration-registry-mirror_image-configuration
Lucas -- Thanks for the review. I added the note to https://docs.openshift.com/container-platform/latest/openshift_images/image-configuration.html#images-configuration-registry-mirror_image-configuration. However, I believe the API docs are automatically generated and we cannot edit them after they are created. I am looking into how to do this. Thanks! Michael
QE LGTM in the PR: https://github.com/openshift/openshift-docs/pull/31968#issuecomment-832391948
Change are live: https://docs.openshift.com/container-platform/4.7/openshift_images/image-configuration.html#images-configuration-registry-mirror_image-configuration