I found that Openshift ImageStream concept are extremely difficult to understand. Openshift introduce one more abstract layer (compare to Kubernetes) to ensure:
However, if the image stream tag used by the Deployment or Build is not updated, then even if the Docker image in the Docker registry is updated, the Build or Deployment will continue using the previous (presumably known good) image.
I don't quite understand how this can be achieved? I read through ImageStream, ImageStreamTag and ImageStreamImage, they are just a pointer (or metadata) which pointing to external image. It doesn't contain actual image.
I can confirm that, after I created a ImageStream (which getting image from docker hub), the image is not pushing to Openshift default registry docker-registry.default.svc:5000, I inspect inside but couldn't find it. Vice versa it is valid, that mean if I push the image to default registry, the ImageStream will be created automatically.
Let's see the example below:
myImageStream:latest -> docker.hub/myNameSpace/myimage:latest (SHA-1234)
If I push a new image to docker.hub latest tag with SHA-5678, and if didn't set the ImageStream as --scheduled, that mean, my pod will always use the image SHA-1234.
Let's say if there is a new pod is spin up in another worker node, since the worker node doesn't have the image SHA-1234, it will start a fresh pull from docker.hub, and it will get SHA-5678.
This violate the so-called "known good image", and even worst because two different version of image are running. I am totally confused about this, can anyone give further explanation on how Openshift ImageStream works?
Reference:
