image stream 中的 reference-policy

/ registry

本文来自于对 oc import-image 中的 --reference-policy 选项使用的探讨,梳理总结一下。

镜像流​是 OpenShift 特定的资源,​可以使用中间名称让镜像流指向来自容器 registry 的镜像,​从而引用容器镜像。

首先使用外部的 image 部署应用,来验证 imagestream 的状态。

oc new-app --name hello-ocp --image=docker.io/openshift/hello-openshift

验证Pod 与 ImageStream 资源已正常创建:

[root@support ~]# oc get pods,is
NAME                            READY   STATUS    RESTARTS   AGE
pod/hello-ocp-cd8888b5c-2czmw   1/1     Running   0          2m10s

NAME                                       IMAGE REPOSITORY   TAGS     UPDATED
imagestream.image.openshift.io/hello-ocp                      latest   2 minutes ago

查看 referencePolicy 使用的策略:

[root@support ~]# oc describe is hello-ocp
Name:                   hello-ocp
Namespace:              is-test
Created:                2 minutes ago
Labels:                 app=hello-ocp
                        app.kubernetes.io/component=hello-ocp
                        app.kubernetes.io/instance=hello-ocp
Annotations:            openshift.io/generated-by=OpenShiftNewApp
                        openshift.io/image.dockerRepositoryCheck=2024-06-05T14:32:00Z
Image Repository:       <none>
Image Lookup:           local=false
Unique Images:          1
Tags:                   1

latest
  tagged from docker.io/openshift/hello-openshift

  * docker.io/openshift/hello-openshift@sha256:aaea76ff622d2f8bcb32e538e7b3cd0ef6d291953f3e7c9f556c1ba5baf47e2e
      2 minutes ago
[root@support ~]# oc get is hello-ocp -o yaml
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
  annotations:
    openshift.io/generated-by: OpenShiftNewApp
    openshift.io/image.dockerRepositoryCheck: "2024-06-05T14:32:00Z"
  creationTimestamp: "2024-06-05T14:31:56Z"
  generation: 2
  labels:
    app: hello-ocp
    app.kubernetes.io/component: hello-ocp
    app.kubernetes.io/instance: hello-ocp
  name: hello-ocp
  namespace: is-test
  resourceVersion: "173375"
  uid: 7bf2e960-dbed-4889-9386-00c8f6eed317
spec:
  lookupPolicy:
    local: false
  tags:
  - annotations:
      openshift.io/imported-from: docker.io/openshift/hello-openshift
    from:
      kind: DockerImage
      name: docker.io/openshift/hello-openshift
    generation: 2
    importPolicy:
      importMode: Legacy
    name: latest
    referencePolicy:
      type: Source
status:
  dockerImageRepository: ""
  tags:
  - items:
    - created: "2024-06-05T14:32:00Z"
      dockerImageReference: docker.io/openshift/hello-openshift@sha256:aaea76ff622d2f8bcb32e538e7b3cd0ef6d291953f3e7c9f556c1ba5baf47e2e
      generation: 2
      image: sha256:aaea76ff622d2f8bcb32e538e7b3cd0ef6d291953f3e7c9f556c1ba5baf47e2e
    tag: latest

可以看到默认是 Source
同时 registry 内容为空。

[root@support ~]# oc rsh image-registry-8548787bc4-wsvvp
sh-4.4$ ls registry/
sh-4.4$

可知,内部并没有缓存。

随后使用该 is 继续创建应用:

[root@support ~]# oc get is
NAME        IMAGE REPOSITORY                                                             TAGS     UPDATED
hello-ocp   default-route-openshift-image-registry.apps.ocp4.ocp.icu/is-test/hello-ocp   latest   8 minutes ago
[root@support ~]# oc new-app --name hello-2 -i hello-ocp
--> Found image 7af3297 (6 years old) in image stream "is-test/hello-ocp" under tag "latest" for "hello-ocp"


--> Creating resources ...
    deployment.apps "hello-2" created
    service "hello-2" created
--> Success
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose service/hello-2'
    Run 'oc status' to view your app.

[root@support ~]# oc get pods -o wide
NAME                        READY   STATUS    RESTARTS   AGE     IP            NODE                    NOMINATED NODE   READINESS GATES
hello-2-6d89f9f58f-k8h87    1/1     Running   0          70s     10.129.2.9    worker03.ocp4.ocp.icu   <none>           <none>
hello-ocp-cd8888b5c-t44gm   1/1     Running   0          9m44s   10.128.2.18   worker02.ocp4.ocp.icu   <none>           <none>

虽然使用相同的 image,但是调度在不同的节点上。
再次验证内部 registry 是否出现缓存:

[root@support ~]# oc project openshift-image-registry
Now using project "openshift-image-registry" on server "https://api.ocp4.ocp.icu:6443".
[root@support ~]# oc rsh image-registry-8548787bc4-wsvvp
sh-4.4$ ls registry/
sh-4.4$

还是为空,所以当使用 source 时,并不会缓存。

使用 local reference policy 进行导入image:

[root@support ~]# oc import-image hello-ocp:local --from=docker.io/openshift/hello-openshift --reference-policy='local'
imagestream.image.openshift.io/hello-ocp imported

验证内部 registry 内容:

[root@support ~]# oc rsh image-registry-8548787bc4-wsvvp
sh-4.4$ ls registry/
sh-4.4$

也为空!

使用 local reference policy 的 is 创建应用:

[root@support ~]# oc new-app --name hello-3 -i hello-ocp:local
--> Found image 7af3297 (6 years old) in image stream "is-test/hello-ocp" under tag "local" for "hello-ocp:local"


--> Creating resources ...
    deployment.apps "hello-3" created
    service "hello-3" created
--> Success
    Application is not exposed. You can expose services to the outside world by executing one or more of the commands below:
     'oc expose service/hello-3'
    Run 'oc status' to view your app.

[root@support ~]# oc get pods -o wide
NAME                        READY   STATUS    RESTARTS   AGE    IP            NODE                    NOMINATED NODE   READINESS GATES
hello-2-6d89f9f58f-k8h87    1/1     Running   0          8m3s   10.129.2.9    worker03.ocp4.ocp.icu   <none>           <none>
hello-3-5cd95fc76c-6wj7f    1/1     Running   0          31s    10.128.2.21   worker02.ocp4.ocp.icu   <none>           <none>
hello-ocp-cd8888b5c-t44gm   1/1     Running   0          16m    10.128.2.18   worker02.ocp4.ocp.icu   <none>           <none>

验证内部 registry 内容:

[root@support ~]# oc project openshift-image-registry
Now using project "openshift-image-registry" on server "https://api.ocp4.ocp.icu:6443".
[root@support ~]# oc rsh image-registry-8548787bc4-wsvvp
sh-4.4$ ls /registry/docker/registry/v2/repositories/is-test/hello-ocp/_layers/sha256/
7af3297a3fb4487b740ed6798163f618e6eddea1ee5fa0ba340329fcae31c8f6

内存 registry 缓存了外部的 image。

其实也可以从 Pod 的事件中查看使用的 image 来自于何处。
例如 reference policy 为 source 的,image 将直接来自源 registry :

如果是 local 则 image 来自内部 registry :

还有一种例外,如果使用 is 对应的内部镜像仓库地址使用 reference policy 为 source 的也将缓存到内部 registry。

归纳:

  • image stream 的 reference policy 默认为 source
  • 使用 source reference policy 的 is 创建应用时,将直接访问源 registry,并且不会缓存
  • 使用 local reference policy 的 is 在导入时不会缓存,当使用该 is 创建应用时,它会缓存

OpenShift 文档对于 Reference Policy 的解释:

The Reference Policy allows you to specify from where resources that reference this image stream tag pulls the image. It applies to only images that you import from external registries. There are two options to choose from: Local and Source.
The Source policy instructs clients to pull directly from the source registry of the image. The integrated registry is not involved unless the image is managed by the cluster. (It is not an external image.) This is the default policy.
The Local policy instructs clients to always pull from the integrated registry. This is useful if you want to pull from external insecure registries without modifying Docker daemon settings.
This policy only affects the use of the image stream tag. Components or operations that directly reference or pull the image using its external registry location is not redirected to the internal registry.
The pull-through feature of the registry serves the remote image to the client. This feature, which is on by default, must be enabled for the local reference policy to be used. Additionally, by default, all the blobs are mirrored for faster access later.
You can set the policy in a specification of image stream tag as referencePolicy.type.

https://docs.openshift.com/container-platform/3.11/dev_guide/managing_images.html

相关文章

发表评论

您的邮箱地址不会被公开。 必填项已用 * 标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

滚动至顶部