Bug 1889413 - Only global pull secrets can be configured in clusters where ImageContentSourcePolicy is set
Summary: Only global pull secrets can be configured in clusters where ImageContentSour...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Michael Burke
QA Contact: Xiaoli Tian
Vikram Goyal
Depends On:
TreeView+ depends on / blocked
Reported: 2020-10-19 15:45 UTC by Lucas López Montero
Modified: 2020-11-05 14:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description Lucas López Montero 2020-10-19 15:45:24 UTC
Description of problem:

As stated on this comment [1] and described by myself on this KCS article [2], on a cluster with ImageContentSourcePolicy [3] set, only global pull secrets [4] can be created. They cannot be added into a project [5].

Steps to Reproduce:

1. Configure ImageContentSourcePolicy in a cluster.
2. Add a pull secret into a project by linking it to its "default" service account.
3. Inside the project, try to pull images from the registry related to the new pull secret.

Actual results:

- ImagePullBackOff error.

Expected results:

- The images are pulled correctly

If this is considered a normal behaviour, please kindly move this bug to Documentation because I think this should be explained. In that case, Documentation Team could use my KCS article as a reference.

[1] https://github.com/openshift/openshift-docs/issues/19440
[2] https://access.redhat.com/solutions/5499981
[3] https://docs.openshift.com/container-platform/4.4/openshift_images/image-configuration.html#images-configuration-registry-mirror_image-configuration
[4] https://docs.openshift.com/container-platform/4.4/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets
[5] https://docs.openshift.com/container-platform/4.4/openshift_images/managing_images/using-image-pull-secrets.html#images-allow-pods-to-reference-images-from-secure-registries_using-image-pull-secrets

Comment 1 Urvashi Mohnani 2020-10-23 14:24:40 UTC
Hi Lucas,

Just to clarify, where are you pulling the image from? Is it from one of the mirrors your configured via ICSP, or is it from the original location that you are mirroring?

If it is from one of the mirrors, only the global pull secret will work.

Comment 2 Lucas López Montero 2020-11-05 12:42:34 UTC
Hi, Urvashi.

The user affected has confirmed that, indeed, they were using mirrors via ICSP.

Comment 3 Urvashi Mohnani 2020-11-05 14:26:22 UTC
Thanks for confirming that Lucas. In that case, this is not a bug. It just needs to be documented better, so moving over to the docs team.

Note You need to log in before you can comment on or make changes to this bug.