stackoom
  简体   繁体   中英

How do I grant permission to my Kubernetes cluster to pull images from gcr.io?

 原文  2022-09-27 04:04:52       kubernetes/ google-cloud-platform/ google-kubernetes-engine

Question

In Kubernetes container repository I have my permission set to Private: 在此处输入图像描述

When I create a pod on my cluster I get the the pod status ending in ImagePullBackOff and when I describe the pod I see:

Failed to pull image "gcr.io/REDACTED": rpc error: code = Unknown desc = Error response from daemon: pull access denied for gcr.io/REDACTED, repository does not exist or may require 'docker login': denied: Permission denied for "v11" from request "/v2/REDACTED/manifests/v11".

I am certainly logged in.

docker login
Authenticating with existing credentials...
Login Succeeded

Now if I enable public access (top image) on my Container Repository things work fine and the pod deploys correctly. But I don't want my repository to be public. What is the correct way to keep my container repository private and still be able to deploy. I'm pretty sure this used to work a couple weeks ago unless I messed up something with my service account although I don't know how to find out which service account is being used for these permissions.

3 answers

solution1
 0  2022-09-27 09:36:05

To use gcr.io or any other private artifact registry, you'll need to create a Secret of type docker-registry in k8s cluster. The secret will contain credential details of your registry:

kubectl create secret docker-registry <secret-name> \
  --docker-server=<server-name> \
  --docker-username=<user-name> \
  --docker-password=<user-password> \
  --docker-email=<user-email-id>

After this, you will need to specify the above secret in imagePullSecrets property of your manifest so that k8s able to authenticate and pull the image.

apiVersion: v1
kind: Pod
metadata:
  name: pod1
  namespace: default
spec:
  containers:
    - name: pod1
      image: gcr.io/pod1:latest
  imagePullSecrets:
    - name: myregistrykey

Check out this tutorial from container-solutions and official k8s doc .

solution2
 0  2022-09-27 18:08:33

If your GKE version is > 1.15, and the Container Registry is in the same project, and GKE uses the default Compute Engine service account (SA) it should work out of the box.

If you are running the registry in another project, or using a different service account, you should give to the SA the right permissions (eg, roles/artifactregistry.reader )

A step by step tutorial, with all the different cases, it is present in the official documentation: https://cloud.google.com/artifact-registry/docs/access-control#gcp

solution3
 0  2022-09-27 18:17:22

GKE uses the service account attached to the node pools to grant access to the registry, however, you must be sure that the OAuth scope for your cluster is set to https://www.googleapis.com/auth/devstorage.read_only as well.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Google REST API to retrieve images in gcr.io ERROR: build step 0 "gcr.io/cloud-builders/docker" failed: exit status 1 How can I tell if server-side apply is enabled in my Kubernetes cluster? How can I use AWS to authenticate to the EKS Kubernetes API using .NET when my program is running outside the cluster? List kubernetes jobs from an application inside the cluster Managing Kubernetes cluster from GCP with python api How do I pull all inactive conversations from twilio? Authenticate Google Compute Engine (GCE) to Pull Image from Google Container Registry (GCR) How do I get logs from all pods of a Kubernetes replication controller? How can I migrate a live production kubernetes cluster to another cluster while minimizing downtime?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM