Pull images from a different Okteto namespace


I have two namespaces in my account and pushed images to one of them. I’m trying to pull the image in the other namespace and it is failing to pull the image with the error:

pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed.

Do I have to set up credentials to pull from the registry in the other namespace? I thought that since I own both namespaces, i.e. same user account, that would be set up automatically. My ultimate goal is push shared images to this new namespace and then share the namespace with my teammates so they can use them in the deployments. I am hoping my teammates also do not need to authenticate since I will be sharing the namespace with them.

Please clarify how this can be accomplished with the namespace-sharing capability.


Hi @proof-nicholas !

How are you trying to pull those images in the other namespace? Deploying some pods using the image pushed to the other namespace or using it as base image of other images built?

Both but more the former than the latter.

Hi @proof-nicholas ,

The images can be used as base image in other namespaces or even being pulled in deploy flows executed in other namespaces you have access to (you are owner or member), but those images cannot be used as pod images deployed in other namespaces even if you have access to that namespace.

So, any member in a namespace can use any image created in that namespace as base image and as pod image within that namespace, but they cannot use those images as pod images in other namespaces.

The options to achieve something similar would be:

  1. Your teammates would have to use your image as base image to build their own within their namespaces and use those for deployments.
  2. Use okteto.global to push an image to the okteto namespace so any user would have access to it. The way of doing it would be using okteto.global/<image-name>:<tag> as image. But be aware that this would make this image available to every user in the instance.

The second option is just recommended in scenarios in which the images have to be shared with all the users. If it’s only to shared among a few users, option 1 would be the way.

Would this cover your case?

Thanks for the response. Option 2 looks viable, the images we want to share should be accessible to all users within our organization. Currently, we are using ECR as a workaround but looks like the global namespace may be a viable alternative. Thanks!