K
Q

Pulling Images from GCR into GKE

10/20/2018

Today is my first day playing with GCR and GKE. So apologies if my question sounds childish.

So I have created a new registry in GCR. It is private. Using this documentation, I got hold of my Access Token using the command

gcloud auth print-access-token
#<MY-ACCESS_TOKEN>

I know that my username is oauth2accesstoken

On my local laptop when I try

docker login https://eu.gcr.io/v2
Username: oauth2accesstoken
Password: <MY-ACCESS_TOKEN>

I get:

Login Successful

So now its time to create a docker-registry secret in Kubernetes.

I ran the below command:

kubectl create secret docker-registry eu-gcr-io-registry --docker-server='https://eu.gcr.io/v2' --docker-username='oauth2accesstoken' --docker-password='<MY-ACCESS_TOKEN>' --docker-email='<MY_EMAIL>'

And then my Pod definition looks like:

apiVersion: v1
kind: Pod
metadata:
  name: my-app
spec:
  containers:
  - name: my-app
    image: eu.gcr.io/<my-gcp-project>/<repo>/<my-app>:latest
    ports:
    - containerPort: 8090
  imagePullSecrets:
  - name: eu-gcr-io-registry

But when I spin up the pod, I get the ERROR:

Warning  Failed                 4m (x4 over 6m)   kubelet, node-3  Failed to pull image "eu.gcr.io/<my-gcp-project>/<repo>/<my-app>:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

I verified my secrets checking the YAML file and doing a base64 --decode on the .dockerconfigjson and it is correct.

So what have I missed here ?

--
google-cloud-platform
google-kubernetes-engine
kubernetes

Similar Questions

How update kubernetes 1.10.4 to 1.11
Pods readiness check fails after running, why are new pods not started?
Kubernetes (GKE) persistent volume resizing not working.
Glusterfs fuse client consuming high memory - memory leak
Connect via container proxy in EKS pod
Proper use of Role.rules.resourceNames for creating pods with limited access to resources
Top CPU Utilization - Node Name

1 Answer

10/21/2018

If your GKE cluster & GCR registry are in the same project: You don't need to configure authentication. GKE clusters are authorized to pull from private GCR registries in the same project with no config. (Very likely you're this!)

If your GKE cluster & GCR registry are in different GCP projects: Follow these instructions to give "service account" of your GKE cluster access to read private images in your GCR cluster: https://cloud.google.com/container-registry/docs/access-control#granting_users_and_other_projects_access_to_a_registry

In a nutshell, this can be done by:

gsutil iam ch  serviceAccount:[PROJECT_NUMBER]-compute@developer.gserviceaccount.com:objectViewer gs://[BUCKET_NAME]

where [BUCKET_NAME] is the GCS bucket storing your GCR images (like artifacts.[PROJECT-ID].appspot.com) and [PROJECT_NUMBER] is the numeric GCP project ID hosting your GKE cluster.

-- AhmetB - Google
Source: StackOverflow