Description of problem: When global pull secret is updated, openshift-apiserver pod do not reflect it, resulting in 'oc import-image' command to fail. How reproducible: always according to my test on OCP4.7 and 4.8. Steps to Reproduce: 1. Your pull secret should have been changed. 2. Update the global pull secret on your cluster with current one according to doc[1]. 3. Once applied to the cluster, check the global pull secret and one that is mounted by openshift-apiserver pods. $ oc get secret pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' | jq '.auths."registry.redhat.io".auth' > global-pullsecret $ oc -n openshift-apiserver rsh apiserver-XXXXnnnn-xxxx cat /var/lib/kubelet/config.json | jq '.auths."registry.redhat.io".auth' > apipod-pullsecret $ diff global-pullsecret apipod-pullsecret Actual results: openshift-apiserver pods still have old pull secret. Expected results: openshift-apiserver pods should have the updated pull secret mounted. Additional info: To workaround it, delete apiserver deployment to recreate the pods. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ oc -n openshift-apiserver delete deployment apiserver ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [1]https://docs.openshift.com/container-platform/4.8/openshift_images/managing_images/using-image-pull-secrets.html#images-update-global-pull-secret_using-image-pull-secrets
Moving to image registry. They own the configuration of the OpenShift components to use the pull secret.
*** This bug has been marked as a duplicate of bug 1984592 ***