尝试从 Google Container Registry 拉取图像时出现 401 Unauthorized 错误
[英]401 Unauthorized error while trying to pull image from Google Container Registry
问题描述
I am using google container registry (GCR) to push and pull docker images.
我正在使用谷歌容器注册表 (GCR) 来推送和拉取 docker 个图像。 I have created a deployment in kube.netes with 3 replicas.我在 kube.netes 中创建了一个包含 3 个副本的部署。 The deployment will use a docker image pulled from the GCR.部署将使用从 GCR 中提取的 docker 图像。
Out of 3 replicas, 2 are pulling the images and running fine.But the third replica is showing the below error and the pod's status remains "ImagePullBackOff" or "ErrImagePull"在 3 个副本中,2 个正在拉取图像并运行良好。但是第三个副本显示以下错误并且 pod 的状态仍然是“ImagePullBackOff”或“ErrImagePull”
"Failed to pull image "gcr.io/xxx:yyy": rpc error: code = Unknown desc = failed to pull and unpack image "gcr.io/xxx:yyy": failed to resolve reference "gcr.io/xxx:yyy": unexpected status code: 401 Unauthorized"
I am confused like why only one of the replicas is showing the error and the other 2 are running without any issue.我很困惑,为什么只有一个副本显示错误,而其他 2 个副本运行没有任何问题。 Can anyone please clarify this?谁能澄清一下?
Thanks in Advance!提前致谢!
2 个解决方案
解决方案1
1 2022-06-20 13:38:26
ImagePullBackOff and ErrImagePull indicate that the image used by a container cannot be loaded from the image registry. ImagePullBackOff和ErrImagePull表示容器使用的镜像无法从镜像注册中心加载。
401 unauthorized error might occur when you pull an image from a private Container Registry repository.从私有 Container Registry 存储库拉取镜像时,可能会出现401 unauthorized 错误。 For troubleshooting the error:要排除错误:
Identify the node that runs the pod by
kubectl describe pod POD_NAME | grep "Node:"通过kubectl describe pod POD_NAME | grep "Node:"识别运行 pod 的节点kubectl describe pod POD_NAME | grep "Node:"Verify the node has the storage scope by running the command
通过运行命令验证节点具有存储 scopegcloud compute instances describe NODE_NAME --zone=COMPUTE_ZONE --format="flattened(serviceAccounts[].scopes)"The node's access scope should contain at least one of the following:
节点的访问 scope 应该至少包含以下内容之一:serviceAccounts[0].scopes[0]: https://www.googleapis.com/auth/devstorage.read_only serviceAccounts[0].scopes[0]: https://www.googleapis.com/auth/cloud-platform
serviceAccounts[0].scopes[0]: https://www.googleapis.com/auth/devstorage.read_only serviceAccounts[0].scopes[0]: https://www.googleapis.com/auth/cloud-platformRecreate the node pool that node belongs to with sufficient scope and you cannot modify existing nodes, you must recreate the node with the correct scope.
用足够的 scope 重新创建节点所属的节点池,并且不能修改现有节点,必须用正确的 scope 重新创建节点。Create a new node pool with the gke-default scope by the following command
通过以下命令使用 gke-default scope 创建一个新的节点池gcloud container node-pools create NODE_POOL_NAME --cluster=CLUSTER_NAME --zone=COMPUTE_ZONE --scopes="gke-default"Create a new node pool with only storage scope
创建一个只有存储 scope 的新节点池gcloud container node-pools create NODE_POOL_NAME --cluster=CLUSTER_NAME --zone=COMPUTE_ZONE --scopes="https://www.googleapis.com/auth/devstorage.read_only"
Refer to the link for more information on the troubleshooting process.有关故障排除过程的更多信息,请参阅链接。
解决方案2
0 2022-06-17 09:05:54
Hi you will setup role for cluster to access GCR images for pulling and pushing you can see https://github.com/GoogleContainerTools/skaffold/issues/336您好,您将为集群设置角色以访问用于拉取和推送的 GCR 图像,您可以看到https://github.com/GoogleContainerTools/skaffold/issues/336
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.