Red Hat OpenShift Image Streams

Image streams are an Redhat Openshift specific resource that can be used to reference a container image by using an intermediate name that points to an image from a container registry. Kubernetes resources reference container images directly, but OpenShift resources, such as deployment configurations and build configurations, can also reference image streams.

An image stream is a collection of related image stream tags. To use an image stream, you reference an image stream tag. This is similar to a container image in an image registry. But, unlike tags in an image registry, image stream tags point to the same image even if the original container image tag gets updated.
Image streams have the following benefits:

• They provide a level of indirection to the container image that OpenShift runs.
• They allow for rolling back to a previous container version without updating the image registry.
• They enable build and deployment automations when an image stream tag gets updated.
• They enable the caching of images from external image registries.
• You can use role-based access control (RBAC) on the image stream object to secure access to container images.

Image Names, Tags, and IDs

Image names are strings that reference a container image in an image registry. That name reference is not tied to the image contents and the same name reference can later point to a new version of a container image.

An image stream represents one or more sets of container images. Each set, or stream, is identified by an image stream tag, which contains a historic list of the container images that the image stream tag referenced along with the container image in use. Unlike container images in a registry, image stream tags can reference container images from different registries and repositories.

An image ID uniquely identifies an immutable container image by using a SHA-256 hash. Remember that you cannot modify a container image. Instead, a new container image is created and given a new ID. When you push a new container image to a registry, the server associates the existing textual name with the new image ID.

When you start a container from an image name, the currently associated image is downloaded. The actual image ID and layers behind that name can change at any moment, so the next container that you create might use a different underlying image. You cannot easily revert to an DO288-OCP4.14-en-3–20240725 128 Chapter 3 | Building and Publishing Container Images earlier image if you only know the image name. Image stream tags keep a history of the image IDs fetched from registries, which eases rolling back to previous versions of an image.

Managing Image Streams and Tags:

• An image stream tag keeps track of its last-fetched image IDs.
• By using image stream tags, OpenShift ensures that all pods use exactly the same image.
• Build configurations in the cluster automatically update the image stream tag defined as their output image.
• If the resources that use that image stream tag have a trigger which reacts the tag being updated, then the cluster automatically updates those resources with the new image.

To create an image stream tag resource for an image from an external registry, use the oc import-image command. Use the — from option to specify the source for the image. If you do not specify a tag name, then the latest tag is used by default. The tag name for the image stream tag can be different from the container image tag on the source registry server. For example, the following command imports a my-app-stream container image from an external container registry and periodically checks for updates.

$ oc import-image myimagestream --confirm --scheduled=true -from example.com/example-repo/my-app-image