stackoom
  简体   繁体   中英

401 Unauthorized error while trying to pull image from Google Container Registry

 原文  2022-06-17 08:39:13       kubernetes/ deployment/ google-container-registry

Question

I am using google container registry (GCR) to push and pull docker images. I have created a deployment in kube.netes with 3 replicas. The deployment will use a docker image pulled from the GCR.

Out of 3 replicas, 2 are pulling the images and running fine.But the third replica is showing the below error and the pod's status remains "ImagePullBackOff" or "ErrImagePull"

"Failed to pull image "gcr.io/xxx:yyy": rpc error: code = Unknown desc = failed to pull and unpack image "gcr.io/xxx:yyy": failed to resolve reference "gcr.io/xxx:yyy": unexpected status code: 401 Unauthorized"

I am confused like why only one of the replicas is showing the error and the other 2 are running without any issue. Can anyone please clarify this?

Thanks in Advance!

2 answers

solution1
 1  2022-06-20 13:38:26

ImagePullBackOff and ErrImagePull indicate that the image used by a container cannot be loaded from the image registry.

401 unauthorized error might occur when you pull an image from a private Container Registry repository. For troubleshooting the error:

  1. Identify the node that runs the pod by kubectl describe pod POD_NAME | grep "Node:"kubectl describe pod POD_NAME | grep "Node:"

  2. Verify the node has the storage scope by running the command

     gcloud compute instances describe NODE_NAME --zone=COMPUTE_ZONE --format="flattened(serviceAccounts[].scopes)"

  3. The node's access scope should contain at least one of the following:

    serviceAccounts[0].scopes[0]: https://www.googleapis.com/auth/devstorage.read_only serviceAccounts[0].scopes[0]: https://www.googleapis.com/auth/cloud-platform

  4. Recreate the node pool that node belongs to with sufficient scope and you cannot modify existing nodes, you must recreate the node with the correct scope.

    • Create a new node pool with the gke-default scope by the following command

      gcloud container node-pools create NODE_POOL_NAME --cluster=CLUSTER_NAME --zone=COMPUTE_ZONE --scopes="gke-default"

    • Create a new node pool with only storage scope

      gcloud container node-pools create NODE_POOL_NAME --cluster=CLUSTER_NAME --zone=COMPUTE_ZONE --scopes="https://www.googleapis.com/auth/devstorage.read_only"

Refer to the link for more information on the troubleshooting process.

solution2
 0  2022-06-17 09:05:54

Hi you will setup role for cluster to access GCR images for pulling and pushing you can see https://github.com/GoogleContainerTools/skaffold/issues/336

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Authenticate Google Compute Engine (GCE) to Pull Image from Google Container Registry (GCR) AWS CodeArtifact error with 401 Unauthorized when trying to upload with twine Google Cloud Container Registry - Check image size Docker image fails to build on Google Container Registry How to pull image from private Docker registry in KubernetesPodOperator of Google Cloud Composer? How can I cleanly remove a container image from the Google Container Registry? Azure Batch NodePreparationError trying to fetch Docker image from Azure Container Registry Cannot pull image from registry issue in kubernetes pod FCM returning 401 unauthorized error for iOS devices only with Google client API using PHP Google Cloud Container Registry/Artifact Registry Permissions
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM