func verifyImageStreamAccess(namespace, imageRepo, verb string, client *client.Client) error { sar := authorizationapi.SubjectAccessReview{ Verb: verb, Resource: "imagestreams/layers", ResourceName: imageRepo, } response, err := client.SubjectAccessReviews(namespace).Create(&sar) if err != nil { log.Errorf("OpenShift client error: %s", err) if kerrors.IsUnauthorized(err) || kerrors.IsForbidden(err) { return ErrOpenShiftAccessDenied } return err } if !response.Allowed { log.Errorf("OpenShift access denied: %s", response.Reason) return ErrOpenShiftAccessDenied } return nil }