A Word about OpenShift ImageStreams

Austin Dewey

There is often some confusion about the ImageStream resource on OpenShift. Many people will create an ImageStream with hopes of pulling an image into their internal registry. They may use this command to create an ImageStream for nexus-repository-manager from the Red Hat Container Catalog:

oc import-image my-sonatype/nexus-repository-manager --from=registry.connect.redhat.com/sonatype/nexus-repository-manager --confirm

This command, however, does not actually pull the image into the registry. Instead, it copies image metadata and defines the location of the nexus-repository-manager image. It sets the ImageStream’s referencePolicy to Source, meaning this image will be pulled from its original location when it is referenced in a DeploymentConfig, bypassing the cluster’s internal registry.

Follow one of these methods to pull or push an image into the registry.

ReferencePolicy: Local

By default, an ImageStream or import-image command will set the referencePolicy to Source. Add the –referencePolicy=local option to an import-image command to set the referencePolicy to Local, or add the referencePolicy config to the ImageStream yaml:

apiVersion: v1
kind: ImageStream
metadata:
  ...
  tags:
    - ...
      referencePolicy:
        type: Local

When this ImageStream is referenced in a DeploymentConfig, OpenShift will enable a feature called Image Pullthrough. In this case, the image is pulled into the internal registry, and the DeploymentConfig will reference the internal registry when it deploys the image. Compare this with the Source referencePolicy, in which the image is not pulled into the internal registry, and the DeploymentConfig will reference the external registry noted on the ImageStream instead of an image local to the cluster.

Docker Push/Skopeo Copy

You can also push an image into the internal registry using a Docker push or a Skopeo copy. In this case, an ImageStream will be created automatically that points to the pushed image in the cluster. When a DeploymentConfig references that ImageStream, it will use that local image. See this article for more detail on how to push an image into the internal registry.

Hopefully this helped to dispel some confusion about OpenShift ImageStreams.

Austin Dewey

Austin Dewey is a DevOps engineer focused on delivering a streamlined developer experience on cloud and container technologies. Austin started his career with Red Hat’s consulting organization, where he helped drive success at many different Fortune 500 companies by automating deployments on Red Hat’s Kubernetes-based PaaS, OpenShift Container Platform. Currently, Austin works at fintech startup Prime Trust, building automation to scale financial infrastructure and support developers on Kubernetes and AWS. Austin is the author of "Learn Helm", a book focused on packaging and delivering applications to Kubernetes, and he enjoys writing about open source technologies at his blog in his free time, austindewey.com.

Leave a Reply