The image pull secret in the namespace is not used when using an ImageContentSourcePolicy in OpenShift 4

Solution Verified - Updated -

Issue

  • When using an ImageContentSourcePolicy, the pull secret defined in the namespace is not used. Why is that?
  • Can pull secrets for mirrored secure registries be configured in a project when ImageContentSourcePolicy is set in a cluster?
  • Using an ImageContentSourcePolicy like the following, the correct image pull secret configured in a project is not used to pull the image:

    apiVersion: operator.openshift.io/v1alpha1
    kind: ImageContentSourcePolicy
    metadata:
      name: secured-registry-example
    spec:
      repositoryDigestMirrors:
      - mirrors:
        - secured-registry.example.com/another-project
        source: registry.example.com/some-project
    
  • Pulling an image from a private image registry fails with unauthorized: authentication required when an ImageContentSourcePolicy is used and the pull secret for the registry is in the project.

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • ImageContentSourcePolicy (IDMS)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content