I am using OpenShift 4.11. I have configured an ImageStream like so:
kind: ImageStream
apiVersion: image.openshift.io/v1
metadata:
name: my-image
spec:
lookupPolicy:
local: true
tags:
- name: latest
annotations: null
from:
kind: DockerImage
name: 'my.repository.local/my-image:latest'
importPolicy:
scheduled: true
referencePolicy:
type: Source
I reference this image as "my-image:latest" in the image: property of a DeploymentConfig container template:
kind: DeploymentConfig
apiVersion: apps.openshift.io/v1
metadata:
name: some-app
spec:
strategy:
type: Rolling
...
triggers:
- type: ConfigChange
- type: ImageTrigger
imageChangeParams:
automatic: true
containerNames:
- some-app
from:
kind: ImageStreamTag
name: my-image:latest
replicas: 2
app: some-app
template:
metadata:
labels:
app: some-app
spec:
containers:
- imagePullPolicy: Always
image: my-image:latest
(image pull secret, resource limits etc. omitted)
The unqualified image name is problematic. If I forget to create the image stream first, OpenShift will try to download the image from the default registry, which in my case is Docker Hub. Not only does Docker Hub then get an API call exposing the company-internal image name, but also there is a risk that the image actually exists there, and we run code we didn't intend to.
Is there a way to force OpenShift to either take an image in a DeploymentConfig from an Image Stream, or not try resolving it at all?
I cannot disable access to Docker Hub globally (other projects need it), but if this is something I can configure per namespace, that would work, too.
I tried setting the image name to empty (not allowed) or a nonexisting image name from the internal registry, hoping that the ImageTrigger would replace the reference, but that only happens when the tag is updated in the stream, not if it already exists.
