[英]Cannot pull image from registry issue in kubernetes pod
I am facing issue while pulling image from artifact registry to kubernetes pod.我在将图像从工件注册表拉到 kubernetes pod 时遇到问题。
I have created repository in artifact registry and i have pushed docker image with tag.我已经在工件注册表中创建了存储库,并且我已经推送了带有标签的 docker 图像。
While i am trying to deploy images in kubernetes i am facing issue ErrImagePull issue.当我尝试在 kubernetes 中部署图像时,我遇到了 ErrImagePull 问题。
I have tried to execute command below我试图执行下面的命令
gcloud describe pod {podname}
In events i am seeing below issue在事件中我看到以下问题
Failed to pull image: rpc error: failed to resolve image: unexpected status: 403 Forbidden
Cluster pod using default service account.使用默认服务帐户的集群 pod。 And i tried to provide artifact reader permission to default service account in gcp console.
我试图在 gcp 控制台中为默认服务帐户提供工件读取器权限。
But not working.但不工作。 Can anyone help me?
谁能帮我?
Thanks in advance.提前致谢。
the first step is to validate the Service Account attached to the node pool of the GKE --> https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform?_ga=2.108247426.-1476124671.1589389489第一步是验证附加到 GKE 节点池的 Service Account --> https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform?_ga=2.108247426。 -1476124671.1589389489
That service account needs this role --> Artifact Registry Reader roles/artifactregistry.reader.该服务帐户需要此角色 --> Artifact Registry Reader roles/artifactregistry.reader。
Lastly, validate the url of the image in the deployment.yaml -->最后,验证部署中镜像的 url.yaml -->
--image=LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG --image=LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG
First setup gcloud CLI in your machine and authenticate to your project in GCP using gcloud.首先在您的机器中设置 gcloud CLI,并使用 gcloud 在 GCP 中对您的项目进行身份验证。
gcloud auth login
gcloud auth activate-service-account ACCOUNT --key-file=KEY-FILE
gcloud auth activate-service-account <svc-accnt-email> --key-file=serviceaccount.json
gcloud auth configure-docker
When you are trying to configure a private repository, you need to configure an imagePullSecret in your pod/deployment.当您尝试配置私有存储库时,您需要在您的 pod/deployment 中配置一个imagePullSecret 。 GKE doesnot directly authenticate to GCR using service account, you need to configure a imagePullSecret
GKE不直接使用 service account 对GCR进行身份验证,需要配置一个imagePullSecret
kubectl create secret docker-registry gcr-auth-secret --docker-server=https://gcr.io --docker-username=oauth2accesstoken --docker-password=$(gcloud auth configure-docker) --docker-email=<service-account-email> --docker-server=us.gcr.io
This will create a secret in default namespace.这将在默认命名空间中创建一个秘密。 Based your namepsace, you can add
-n <namespace>
to create secret in your namespace.根据您的命名空间,您可以添加
-n <namespace>
以在您的命名空间中创建秘密。 You can get the value of secret using below command您可以使用以下命令获取 secret 的值
kubectl get secret gcr-auth-secret -n <namespace> -o yaml
Now, you need to configure your pod/deployment to use this secret to authenticate to GCE.现在,您需要配置您的 pod/deployment 以使用此密钥向 GCE 进行身份验证。 You can do this by adding the below in your yaml
您可以通过在 yaml 中添加以下内容来做到这一点
containers:
- name: <cont_name>
image: <image>:<tag>
imagePullSecrets:
- name: gcr-auth-secret
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.