Openshift/K8S: Permission for access images to your Project/Namespace from another

Özgür Kolukısa
1 min readJun 22, 2022

--

Openshift and Kubernetes uses images to deploy containers for your projects. If you have a customized image and simply you want to use the same image in your another namespace or project. In this case you have two options, Either you pull image from image registry that customized image come from or pull it from another project.

You may not use first option if your Kubernetes or Openshift environment is closed to external or company policies denies it. Second option is a bit of complicated but also useful too. Also you can scriptize it for further use. Therefore, it comes!

[ozgurkkisa@workstation ~]$ oc policy add-role-to-group \
-n project-common system:image-puller \
system:serviceaccounts:project-new
clusterrole.rbac.authorization.k8s.io/system:image-puller added: "system:serviceaccounts:youruser-expose-image"

At the example above, you give image-puller access permission from project named project-common to serviceaccounts in project named project-new. By this way, Developer of project-new might use images at project-common. To perform this operation he/she can type the example command below :

[ozgurkkisa@workstation ~]$oc new-app --name info \
-i ${RHT_OCP4_DEV_USER}-common/php-info

If you want to make a script from this, just create a new file with vim or your favorite text editor, add a shebang and save it as with .sh extension :

#!/bin/bashoc policy add-role-to-group \
-n project-common system:image-puller \
system:serviceaccounts:project-new

At the end of day, your life would be a bit of easier 💪😀

Hope to soon again with new articles.

With my best wishes

--

--