K
Q

Kubectl Failed to pull docker image from private gcr.io repo

9/7/2018

I am facing same issue on pulling docker image from private GCR it throws error

Failed to pull image "gcr.io/{PROJECT_ID}/{IMAGE:TAG}:latest": rpc error: code = Unknown desc = Error response from daemon: repository gcr.io/{PROJECT_ID}/{IMAGE:TAG} not found: does not exist or no pull access

Solution which I tried but still didnt fixed the issue: 1. delete the cluster and recreate 2. Provided Editor Storage Admin to the service account which is used to pull image.

Also when i try docker image pull using the service account auth, I am able to download the image to my local

docker image pull gcr.io/{PROJECT_ID}/{IMAGE:TAG}

Any suggestion \ help what am I missing

Thanks

-- Bikash Kumar Sharma
docker
google-cloud-platform
google-container-registry
google-kubernetes-engine

Similar Questions

Google Kubernetes Engine denying traffic
"No such file or directory" error when running Docker image on OpenShift but not when doing "docker run"
Why would GCE instance group manager recreate a VM?
Hashicorp Vault: Is it possible to make edits to pre-existing server configuration file?
Vagrant Kubernetes Docker Pull access denied to a tag I create from image that is direct from docker hub
GKE Deploy issue - Free Tier with credit - Workloads

3 Answers

9/7/2018

Are you running the kubectl commands from your local machine?
If so, you should first configure kubectl context to GKE using,
gcloud container clusters get-credentials my-cluster --zone=europe-west2-a

Read more information here
https://cloud.google.com/sdk/gcloud/reference/container/clusters/get-credentials

You may have to install and configure Google Cloud SDK before executing the above command. https://cloud.google.com/sdk/install
https://cloud.google.com/sdk/docs/initializing

-- Shiva
Source: StackOverflow
9/7/2018

This issue raised mostly when we create the cluster with default service account (which doesn't have the permission to pull the image from GCR),so to resolve the issue, we can try the following:

We need to specify the scope as cloud-platform while creating the cluster so that the nodes in the cluster can acquire the permission to pull the image from GCR

gcloud container clusters create "test-cluster"   --zone "us-central1-a"   --machine-type "n1-standard-1"    --scopes https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/devstorage.read_write  --num-nodes "3"

Or

We can assign a service account while creating cluster which has permission to pull the image from Google Container registry:

*gcloud container clusters create "test-cluster" --zone "us-central1-a" --machine-type "n1-standard-1" --num-nodes "3" --service-account "XXXXXX@XXXXX.iam.gserviceaccount.com"*

Regards

-- Chandana
Source: StackOverflow
9/7/2018

I suggest making sure that you have the proper scopes set up within your cluster for the service account to pull the image. Here is an article that provides step by step instructions on how to grant users permission to pull a image from a registry.

-- Jason
Source: StackOverflow