Image Policy is not working as expected
Environment
OpenShift Container Platform
- 3.5
- 3.6
Issue
If it follows Image Policy example from this doc, the testing commands from the doc are working well. However, apart from those commands, any pods can not deploy using default templates with following error message:
Failed create | Error creating: Pod "" is invalid: spec.containers[0].image: Forbidden: this image is prohibited by policy
Resolution
1.Add prefix(registry.access.redhat.com) to openshift component images
vi master-config.yaml
....
imageConfig:
format: registry.access.redhat.com/openshift3/ose-${component}:${version}
.....
2.Add following registries under matchRegistries
registry.access.redhat.comintegrated docker regsitry service ip(172.30.x.x:5000)
vi master-config.yaml
...
...
- name: allow-images-from-dockerhub
onResources:
- resource: pods
- resource: builds
matchRegistries:
- docker.io
- registry.access.redhat.com
- $INTEGRATED_DOCKER_REGISTRY_SVC_IP:5000
...
...
Root Cause
There are 2 issues:
1.OpenShift Container Platform does not specify registry.access.redhat.com for openshfit component images
Image Policy check image registry ip and only allowed registries are available to access. Therefore, the openshift componenet image need to add prefix of registry ip(
registry.access.redhat.com) and it also should be added tomatchRegistriesto be allowed to access.
2.Image Policy block the image for DC from the imagestream which results into the image name (which is represented by digest or 'ID').
>> This is reporeted Content from github.com is not included.issue and it is fixed/included into 3.6.1. As a workaround, adding integrated docker registry service ip under matchRegistries solve the issue
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.