[英]Push a Docker image to Google Container Registry from a container running in the GKE
I have a GCP project.我有一个 GCP 项目。 In there I use the GKE with a Teamcity container running.在那里,我使用运行 Teamcity 容器的 GKE。 This Teamcity container is my build server and the location where I run my build steps/scripts.这个 Teamcity 容器是我的构建服务器,也是我运行构建步骤/脚本的位置。
One of the build steps wants to push a docker image to the Google Container Registry.其中一个构建步骤希望将 docker 映像推送到 Google Container Registry。 While doing so it fails cause of this error:这样做会导致此错误失败:
denied: Token exchange failed for project 'coopr-mod'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control
I read up the mentioned instructions links but just can't find out how to solve the problem in my case.我阅读了上述说明链接,但在我的情况下无法找到解决问题的方法。
For completion I hereby write down the build steps that are executed:为了完成,我特此写下执行的构建步骤:
Step 1 :第 1 步:
# Create environment variable for correct distribution
export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)"
# Add the Cloud SDK distribution URI as a package source
echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
# Import the Google Cloud Platform public key
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
# Update the package list and install the Cloud SDK
sudo apt-get -y update && sudo apt-get -y install google-cloud-sdk
Step 2 :第 2 步:
gcloud --quiet auth configure-docker
Step 3 : `docker build myimage:1第 3 步:`docker build myimage:1
Step 4 : docker tag myimage:1 eu.gcr.io/my-project/myimage:1
第 4 步: docker tag myimage:1 eu.gcr.io/my-project/myimage:1
Step 5 : (The failing step) docker push eu.gcr.io/coopr-mod/myimage:1
第5步:(失败的步骤) docker push eu.gcr.io/coopr-mod/myimage:1
Results in :结果:
denied: Token exchange failed for project 'coopr-mod'. Caller does not have permission 'storage.buckets.create'. To configure permissions, follow instructions at: https://cloud.google.com/container-registry/docs/access-control
I read about giving the GKE read-write
permission for the Google Storage but I can't find the guide where it tells me "how" to do that.我阅读了有关授予 Google 存储的 GKE read-write
权限的信息,但我找不到它告诉我“如何”执行此操作的指南。
There is decent documentation about how to both push and pull images with GCR and GKE.有关于如何使用 GCR 和 GKE 推送和拉取图像的不错的文档。 Also, this answer is a similar answer for regular GCE instances.此外,此答案与常规 GCE 实例的答案类似。
Assuming your node pool is configured with instances using the default GCE account, this is a simple matter of configuring the pool with the read-write
access scope when you create the pool.假设您的节点池使用默认 GCE 帐户配置了实例,那么在创建池时,只需将池配置为具有read-write
访问权限 scope 即可。
A few ways to do this:有几种方法可以做到这一点:
--scopes https://www.googleapis.com/auth/devstorage.read_write
(Alternatively, you can enable 'all scopes' using this value: https://www.googleapis.com/auth/cloud-platform
, but that is exceptionally permissive)当您使用 gcloud 创建节点池时,请(另外)指定--scopes https://www.googleapis.com/auth/devstorage.read_write
(或者,您可以使用此值启用“所有范围”: https://www.googleapis.com/auth/cloud-platform
,但这是非常宽松的)... omitted many scope choices... ...省略了许多 scope 选择...
If, for whatever reason, you can't just tear down your node pool, the instructions about how to migrate jobs to a new machine type should work for you (in this case, the "new machine type" just has the new access permissions).如果出于某种原因,您不能只拆除节点池,那么有关如何将作业迁移到新机器类型的说明应该适合您(在这种情况下,“新机器类型”只是具有新的访问权限)。 The basic steps are:基本步骤是:
That said, it might make sense to go a bit beyond this and use a dedicated service account (and key) for pushing images, if you don't want any pod on your cluster to have this sort of access.也就是说,go可能更有意义,并使用专用服务帐户(和密钥)来推送图像,如果您不希望集群上的任何 pod 具有这种访问权限。 Likewise, this won't require destroying and recreating the node pool.同样,这不需要销毁和重新创建节点池。
This is a decent amount more complicated, but the steps would roughly be:这是相当复杂的数量,但步骤大致是:
cat keyfile.json | docker login -u _json_key --password-stdin https://eu.gcr.io
(or whatever the correct GCR repository hostname is for you) (或任何适合您的正确 GCR 存储库主机名)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.