How to make images in a project share across all projects in OCPv4

Resolution

• To access images in your own project from all the projects, you should grant permissions to all users including default SA(a.k.a. system:authenticated group is ready for that usecase, refer Group for more details.) to get images and to pull images in that project as follows.

// Because "system:authenticated" built-in group is not shown as an usual group, "Warning" message is there.
// But you can ignore the warning message, it works well regardless of that.
// At this point, you can pull all the images from "your-own-project"
// using "oc new-app --images=xxxx" without addtional permission to get images in "your-own-project".

$ oc adm policy add-role-to-group system:image-puller system:authenticated --namespace=your-own-project
Warning: Group 'system:authenticated' not found
clusterrole.rbac.authorization.k8s.io/system:image-puller added: "system:authenticated"

// If you want to pull the images in a project using web console (with developer mode),
// you need to grant an additional permission to get images from that project
// for listing the images in the dropbox on the wizard page.

$ oc adm policy add-role-to-group view system:authenticated --namespace=your-own-project

• Basically, it's the same with Allowing pods to reference images across projects.

• At web console with Developer mode, warning messages about granting system:image-puller with the related command line always are shown regardless of actual permission relationships, if you select an image in another project except "openshift".

  • You can ignore kindly the above warning messages in the wizard page of web console, it does not affect pulling images actually.