๐ What ImageStream really gives you
๐ Why OpenShift uses it
๐ How itโs better (in some cases) than just pulling a normal image
๐ง First, imagine two situations:
๐ต Situation 1: Without ImageStream (Normal Kubernetes)
- You deploy an app with a direct Docker image URL:
image: nginx:latest
- Kubernetes will never track changes in
nginx:latest
. - If someone updates the
latest
image, your running pods stay the same unless you manually trigger an update (like delete the pod, rollout new version). - Thereโs no history, no auto-notifications, and no internal record of what “latest” pointed to when you deployed it.
- No control, no tracking, no automatic trigger.
โ
Simple but very dumb way.
โ
Works when you fully control your CI/CD pipeline.
๐ Situation 2: With OpenShift ImageStream
- Instead of pulling images directly, OpenShift tracks them through an ImageStream.
- When
nginx:latest
is updated on DockerHub, OpenShift automatically imports the new image metadata into ImageStream. - You can:
- Automatically redeploy apps when the image changes (without touching anything).
- View history of all previous images that ever existed for that tag.
- Tag images manually between environments (example: promote dev image โ staging โ prod by just changing a tag).
- Control access to images inside OpenShift’s internal registry.
- Pin exact images by digest to avoid accidental breakage.
โ Smart, controlled, observable, CI/CD friendly.
โจ So, in simple words:
Normal Images (Kubernetes) | ImageStream (OpenShift) |
---|---|
Pull and forget. No update tracking. | Tracks external and internal images in OpenShift. |
No automatic redeploy when images change. | Can auto-trigger deployment when new image arrives. |
No history of what version you pulled. | Maintains history of images for every tag. |
Cannot promote images safely between environments. | Can tag/promote images easily between dev โ staging โ prod. |
No OpenShift access control for images. | Full OpenShift permission control for pull, tag, promote. |
You manage everything outside cluster. | OpenShift manages image lifecycle inside cluster. |
๐ธ Example to make it even more practical
โ Without ImageStream:
- You push a new app build to DockerHub (
myapp:latest
updated). - Your Kubernetes app still uses old container unless you manually trigger a deployment.
โ With ImageStream:
- You push a new app build to DockerHub (
myapp:latest
updated). - OpenShift automatically imports the new version into ImageStream.
- If a Deployment (with image trigger) is linked to that ImageStream:
- โ OpenShift triggers redeployment automatically!
- โ Zero manual work.
- โ New app version is live safely.
Final Summary (Easy Language)
Normal images are like pulling files from the internet manually every time.
ImageStreams are like having a smart librarian inside your OpenShift cluster who:
- Tracks when your images change.
- Keeps history of all versions.
- Alerts your applications and triggers updates.
- Controls who can pull what.
Practical Advantages of ImageStreams
Benefit | Why it matters |
---|---|
Auto-updates | No need to manually redeploy when a new version is available. |
History tracking | Rollback to any old image version easily. |
Environment promotion | Promote builds from Dev โ QA โ Prod by tagging. |
Pull secrets and control | Manage access securely for private registries. |
Cluster registry integration | OpenShift can manage images internally without external dependency. |
Real Example
If youโre running CI/CD pipelines in OpenShift (Jenkins, Tekton, GitOps ArgoCD):
- Build finishes โ ImageStream updated โ New Deployment triggered โ App upgraded automatically.
โ
No downtime.
โ
No manual intervention.
โ
Full visibility on which image you are using.
Very Short Answer
If you want | Use |
---|---|
Simple “set and forget” deploys | Normal Kubernetes image reference. |
Smart, auto-tracked, secure, history-managed image lifecycle | OpenShift ImageStreams. |
๐ง What Are We Building?
You have three projects (namespaces):
Environment | OpenShift Project |
---|---|
Development (Dev) | app-dev |
Staging | app-staging |
Production | app-prod |
We will:
- Build or Import an Image into
app-dev
- Promote (copy) the image to
app-staging
- Finally promote it to
app-prod
- All using ImageStreams without rebuilding the app again
โ
No re-building needed!
โ
Full traceability!
โ
Full security control!
๐ Prerequisites:
- OpenShift CLI (
oc
) installed - Access to an OpenShift 4.x+ cluster
admin
or sufficient permissions on projects
๐ Step-by-Step Tutorial
1๏ธโฃ Create Three OpenShift Projects
oc new-project app-dev
oc new-project app-staging
oc new-project app-prod
Code language: JavaScript (javascript)
2๏ธโฃ Create ImageStreams in Each Project
Create an ImageStream named myapp
in each project.
# myapp-imagestream.yaml
apiVersion: image.openshift.io/v1
kind: ImageStream
metadata:
name: myapp
Code language: PHP (php)
Apply in all three projects:
oc project app-dev
oc apply -f myapp-imagestream.yaml
oc project app-staging
oc apply -f myapp-imagestream.yaml
oc project app-prod
oc apply -f myapp-imagestream.yaml
Code language: CSS (css)
โ
Now, each project has an empty myapp
ImageStream.
3๏ธโฃ Import or Build Image into Dev (First Deployment)
For simplicity, let’s just import a public image (you could also BuildConfig if needed).
oc project app-dev
oc import-image myapp:latest --from=nginx:latest --confirm
Code language: JavaScript (javascript)
โ
Now, the app-dev
project myapp:latest
points to the latest nginx image!
You can check:
oc describe is myapp
4๏ธโฃ Create Deployment that Uses ImageStream (optional but recommended)
In Dev, create a Deployment that uses the ImageStream:
# myapp-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp-deployment
spec:
replicas: 1
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: image-registry.openshift-image-registry.svc:5000/app-dev/myapp:latest
ports:
- containerPort: 80
Code language: PHP (php)
Apply:
oc apply -f myapp-deployment.yaml
Code language: CSS (css)
โ Dev environment is now running your image!
5๏ธโฃ Promote Image from Dev โ Staging
Now the magic: Tagging from one project’s ImageStream to another projectโs ImageStream.
oc tag app-dev/myapp:latest app-staging/myapp:latest
โ
This command copies the image reference into app-staging
‘s ImageStream.
Important:
- No rebuild.
- No re-pulling from DockerHub.
- Full OpenShift internal secured movement.
You can verify:
oc project app-staging
oc describe is myapp
You will see that it points to the image from Dev.
6๏ธโฃ Deploy in Staging
Create a Deployment in app-staging
, pointing to:
image: image-registry.openshift-image-registry.svc:5000/app-staging/myapp:latest
Code language: HTTP (http)
Now staging runs the exact same image!
7๏ธโฃ Promote Image from Staging โ Production
Same simple command:
oc tag app-staging/myapp:latest app-prod/myapp:latest
โ Now your Production ImageStream is updated with the exact tested image.
Create a Deployment in app-prod
using:
image: image-registry.openshift-image-registry.svc:5000/app-prod/myapp:latest
Code language: HTTP (http)
โ Production environment runs only after successful promotion from staging!
๐ฅ Auto-Promotion Pipeline Idea (Optional)
You can fully automate this using Tekton Pipelines, Jenkins, GitHub Actions, or GitOps (ArgoCD):
- After tests pass in Dev โ automatically tag to Staging.
- After staging approval โ automatically tag to Production.
โ
Fully secure.
โ
CI/CD friendly.
โ
Traceable images across all stages.
๐ Final Architecture Diagram
DockerHub or Build --> app-dev/myapp:latest
|
oc tag
โ
app-staging/myapp:latest
|
oc tag
โ
app-prod/myapp:latest
Each environment runs exactly the promoted image, NOT a rebuilt one. ๐
๐ Quick Commands Cheat Sheet
Command | Purpose |
---|---|
oc import-image myapp:latest --from=<external-image> --confirm | Import image from external registry |
oc tag app-dev/myapp:latest app-staging/myapp:latest | Promote image from Dev to Staging |
oc tag app-staging/myapp:latest app-prod/myapp:latest | Promote image from Staging to Prod |
oc describe is myapp | View ImageStream details |
oc get istag | List image tags |
๐ฏ Real-World Benefits of This Method
Benefit | Why It Matters |
---|---|
No Rebuilding | Promotes the same built image โ ensures consistency |
Fast and Secure | No need to pull externally again โ internal registry handles it |
Full Traceability | You can always check where an image came from |
Automation Friendly | Easily integrate with pipelines and GitOps |
Safe Rollbacks | Previous tags/history available if you want to revert |
๐ Conclusion
โ
ImageStreams make Dev โ Staging โ Prod promotions super clean and safe!
โ
Tagging avoids risks of “it works on my machine but fails on prod” issues.
โ
Production-ready method in OpenShift CI/CD workflows!
Lab with Existing
Here’s a short and clear tutorial on how to check and deploy ImageStreams in OpenShift, using the example where you added httpd
via the Developer Catalog UI and then used oc
commands to deploy and expose it.

Deploy ImageStreams in OpenShift (ARO)
โ Step 1: Add ImageStream via Developer Catalog (UI)
- In OpenShift Web Console:
- Go to Developer โ +Add โ Container Image
- Search for
httpd
and add it - This will create an ImageStream but not a running application
โ Step 2: Check What Was Created
Use the CLI:
oc get all -n test2
Code language: JavaScript (javascript)
Youโll see only:
imagestream.image.openshift.io/httpd
โ Step 3: Deploy an App Using the ImageStream
To deploy a pod from the ImageStream you created:
oc new-app httpd -n test2
Code language: JavaScript (javascript)
This automatically creates:
- DeploymentConfig
- Pod
- Service
โ Step 4: Verify Deployment
oc get all -n test2
Code language: JavaScript (javascript)
Youโll now see:
deploymentconfig.apps.openshift.io/httpd
pod/httpd-xxxxx
svc/httpd
โ Step 5: Expose the Service to Create a Public Route
oc expose svc/httpd -n test2
โ Step 6: Get the Route URL
oc get route httpd -n test2
Code language: JavaScript (javascript)
Open the displayed URL in a browser to see the httpd
default page.
๐งช Command History You Used
512 oc get all -n test2
513 oc new-app jenkins # (unrelated, probably test)
514 oc new-app httpd -n test2 # โ
deploy httpd app
515 oc get all -n test2
516 oc expose svc/httpd -n test2 # โ
expose the service
Code language: PHP (php)
โ Summary
Task | Command |
---|---|
Check what exists | oc get all -n test2 |
Deploy app from ImageStream | oc new-app httpd -n test2 |
Expose service | oc expose svc/httpd -n test2 |
Access app | oc get route httpd -n test2 |
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND