All container images available through the Red Hat Container Catalog are hosted
on an image registry,
registry.access.redhat.com. With OKD 3.11
Red Hat Container Catalog moved from
The new registry,
registry.redhat.io, requires authentication for access to
images and hosted content on OKD. Following the move to the new
registry, the existing registry will be available for a period of time.
OKD pulls images from
The new registry uses standard OAuth mechanisms for authentication, with the following methods:
Authentication token. Tokens, which are generated by administrators, are service accounts that give systems the ability to authenticate against the container image registry. Service accounts are not affected by changes in user accounts, so the token authentication method is reliable and resilient. This is the only supported authentication option for production clusters.
Web username and password. This is the standard set of credentials you use
to log in to resources such as
While it is possible to use this authentication method with OKD, it is not supported for
production deployments. Restrict this authentication method to
stand-alone projects outside OKD.
You can use
docker login with your credentials, either username and password
or authentication token, to access content on the new registry.
All image streams point to the new registry. Because the new registry requires
authentication for access, there is a new secret in the OpenShift namespace
You must place your credentials in two places:
OpenShift namespace. Your credentials must exist in the OpenShift namespace so that the image streams in the OpenShift namespace can import.
Your host. Your credentials must exist on your host because Kubernetes uses the credentials from your host when it goes to pull images.
To access the new registry:
Verify image import secret,
imagestreamsecret, is in your OpenShift
namespace. That secret has credentials that allow you to access
the new registry.
Verify all of your cluster nodes have a
copied from master, that allows you to access the Red Hat registry.
If you are a Red Hat customer with entitlements to Red Hat products, you have an account with applicable user credentials. These are the username and password that you use to log in to the Red Hat Customer Portal.
If you do not have an account, you can acquire one for free by registering for one of the following options:
You must create tokens if your organization manages shared accounts. Administrators can create, view, and delete all tokens associated with an organization.
To create a token in order complete a
Log in with your Red Hat Network (RHN) username and password.
Accept terms when prompted.
If you are not immediately prompted to accept terms, you will be prompted when proceeding with the following steps.
From the Registry Service Accounts page, click Create Service Account
Provide a name for the service account. It will be prepended with a random string.
Enter a description.
Navigate back to your Service Accounts.
Click the Service Account you created.
Copy the username, including the prepended string.
Copy the token.
You can also manage registry credentials during installation or upgrade using the Ansible installer.
This will set up the following:
imagestreamsecret in your OpenShift namespace.
Credentials on all nodes.
Service account token
To manage registry credentials during installation or upgrade using the Ansible installer:
During installation or upgrade, specify the
variables in your installer inventory.
If you have created a token, set
Clusters that require access to additional authenticated registries can configure
a list of registries by setting
Each registry requires a host and password value, you can specify a username by
setting user. By default the credentials specified are validated by attempting
to inspect the image
openshift3/ose-pod on the specified registry.
To specify an alternate image, either:
Disable credential validation by setting
test_login to False.
If the registry is insecure, set
tls_verify to False.
All credentials in this list will have an
in the OpenShift namespace and credentials deployed to all nodes.
Once you have created your service accounts and generated tokens for the Red Hat Registry, you can perform additional tasks.
This section provides the manual steps, which can be automatically performed during installation by providing the inventory variables outlined in the Managing Registry Credentials for Installation and Upgrade section.
Service account token
From your Registry Service Accounts page, click on your account name. From there, you can perform the following tasks:
From the Token Information tab, you can view your username (the name you provided prepended with a random string) and password (token). From this tab, you can regenerate your token.
From the OpenShift Secret tab, you can:
Download the secret by clicking the link in the tab.
Submit the secret to the cluster:
# oc create -f <account-name>-secret.yml --namespace=openshift
Update your Kubernetes configuration by adding a reference to the secret to
your Kubernetes pod configuration with an
imagePullSecrets field, for example:
apiVersion: v1 kind: Pod metadata: name: somepod namespace: all spec: containers: - name: web image: registry.redhat.io/REPONAME imagePullSecrets: - name: <numerical-string-account-name>-pull-secret
From the Docker Login tab, you can run
docker login. For example:
# docker login -u='<numerical-string|account-name>' -p=<token>
After you successfully log in, copy
/var/lib/origin/.docker/config.json and restart the node.
# cp -r ~/.docker /var/lib/origin/ systemctl restart atomic-openshift-node
From the Docker Configuration tab, you can:
Download the credentials configuration by clicking the link in the tab.
Write the configuration to the disk by placing the file in the Docker configuration directory. This will overwrite existing credentials. For example:
# mv <account-name>-auth.json ~/.docker/config.json