无法从 kubernetes pod 中的注册表问题中提取图像
[英]Cannot pull image from registry issue in kubernetes pod
问题描述
I am facing issue while pulling image from artifact registry to kubernetes pod.
我在将图像从工件注册表拉到 kubernetes pod 时遇到问题。
I have created repository in artifact registry and i have pushed docker image with tag.我已经在工件注册表中创建了存储库,并且我已经推送了带有标签的 docker 图像。
While i am trying to deploy images in kubernetes i am facing issue ErrImagePull issue.当我尝试在 kubernetes 中部署图像时,我遇到了 ErrImagePull 问题。
I have tried to execute command below我试图执行下面的命令
gcloud describe pod {podname}
In events i am seeing below issue在事件中我看到以下问题
Failed to pull image: rpc error: failed to resolve image: unexpected status: 403 Forbidden
Cluster pod using default service account.使用默认服务帐户的集群 pod。 And i tried to provide artifact reader permission to default service account in gcp console.我试图在 gcp 控制台中为默认服务帐户提供工件读取器权限。
But not working.但不工作。 Can anyone help me?谁能帮我?
Thanks in advance.提前致谢。
2 个解决方案
解决方案1
0 2022-08-26 18:31:56
the first step is to validate the Service Account attached to the node pool of the GKE --> https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform?_ga=2.108247426.-1476124671.1589389489第一步是验证附加到 GKE 节点池的 Service Account --> https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform?_ga=2.108247426。 -1476124671.1589389489
That service account needs this role --> Artifact Registry Reader roles/artifactregistry.reader.该服务帐户需要此角色 --> Artifact Registry Reader roles/artifactregistry.reader。
Lastly, validate the url of the image in the deployment.yaml -->最后,验证部署中镜像的 url.yaml -->
--image=LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG --image=LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG
解决方案2
0 2022-08-29 06:58:25
First setup gcloud CLI in your machine and authenticate to your project in GCP using gcloud.首先在您的机器中设置 gcloud CLI,并使用 gcloud 在 GCP 中对您的项目进行身份验证。
gcloud auth login
gcloud auth activate-service-account ACCOUNT --key-file=KEY-FILE
gcloud auth activate-service-account <svc-accnt-email> --key-file=serviceaccount.json
gcloud auth configure-docker
When you are trying to configure a private repository, you need to configure an imagePullSecret in your pod/deployment.当您尝试配置私有存储库时,您需要在您的 pod/deployment 中配置一个imagePullSecret 。 GKE doesnot directly authenticate to GCR using service account, you need to configure a imagePullSecret GKE不直接使用 service account 对GCR进行身份验证,需要配置一个imagePullSecret
kubectl create secret docker-registry gcr-auth-secret --docker-server=https://gcr.io --docker-username=oauth2accesstoken --docker-password=$(gcloud auth configure-docker) --docker-email=<service-account-email> --docker-server=us.gcr.io
This will create a secret in default namespace.这将在默认命名空间中创建一个秘密。 Based your namepsace, you can add -n <namespace> to create secret in your namespace.根据您的命名空间,您可以添加-n <namespace>以在您的命名空间中创建秘密。 You can get the value of secret using below command您可以使用以下命令获取 secret 的值
kubectl get secret gcr-auth-secret -n <namespace> -o yaml
Now, you need to configure your pod/deployment to use this secret to authenticate to GCE.现在,您需要配置您的 pod/deployment 以使用此密钥向 GCE 进行身份验证。 You can do this by adding the below in your yaml您可以通过在 yaml 中添加以下内容来做到这一点
containers:
- name: <cont_name>
image: <image>:<tag>
imagePullSecrets:
- name: gcr-auth-secret
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.