Registry v2: Accessing the Registry
Use this page to access Registry v2 from inside the cluster, from external clients, and through the Image API.
TOC
PrerequisitesRequired Namespace PermissionsAccess the Registry from Inside the ClusterAuthenticate an External OCI ClientPush and Pull ImagesQuery Image API ResourcesPrerequisites
- Registry v2 is installed and available in the target cluster.
- The image namespace exists.
- The current user or service account has the required namespace permissions.
Required Namespace Permissions
Your user account or workload service account must have permissions in the namespace that owns the image repository. Ask a namespace administrator to grant the required image roles when you need cross-namespace access.
Registry v2 uses ImageStream layer authorization:
For role binding examples, see Managing Registry v2 access and cleanup.
Access the Registry from Inside the Cluster
Use the internal service address for workloads inside the cluster:
Example workload image reference:
For a custom service account, make sure it has pull permission in the image namespace. The Operator injects the managed pull secret when Registry v2 is configured to manage service account pull secrets.
Create the service account in the workload namespace:
Have a namespace administrator grant the service account pull permission in the image namespace:
Verify that the managed pull secret is injected:
Expected result:
- The command returns at least one image pull secret name.
If no pull secret is listed, ask a Registry administrator to verify that managed service account pull secrets are enabled and that the workload namespace is not ignored.
Use the service account in the workload:
Verify the rollout:
Authenticate an External OCI Client
For external access, use ac registry login to write credentials for a account that has namespace permissions:
To write credentials to a specific Docker-compatible auth file, set DOCKER_CONFIG or use --to:
If the registry uses a private CA, configure client trust before push and pull operations. Use --insecure only for an HTTP endpoint or a non-production test certificate that the client does not trust.
Push and Pull Images
Tag and push an image:
Pull by tag:
Pull by digest:
Query Image API Resources
List ImageStreams:
Show one ImageStream:
Show the current and historical digest for a tag:
Show the Image metadata for a digest:
List Registry HTTP image repositories visible to the current user: