K
Q

gcloud cluster cannot pull eu.gcr.io authentication required

10/28/2018

I have set up a Kubernetes cluster on gcloud via gitlab.

I have some trouble pulling my images when I deploy my application.

I use a gcloud cluster with a registry on the same gcloud project. Normally, I'm able to pull my image directly without any modification (supposed to use the Compute Engine default service account?).

But I get a unauthorized on my pod when he try to pull the image :

  Warning  Failed                 3m (x2 over 3m)  kubelet, gke-production-default-pool-********-****  Failed to pull image "eu.gcr.io/[My-Project]/services-identity:715bfffa": rpc error: code = Unknown desc = unauthorized: authentication required
  Warning  Failed                 3m (x2 over 3m)  kubelet, gke-production-default-pool-********-****  Error: ErrImagePull
  Normal   BackOff                2m (x6 over 3m)  kubelet, gke-production-default-pool-********-****  Back-off pulling image "eu.gcr.io/[My-Project]/services-identity:715bfffa"
  Warning  Failed                 2m (x6 over 3m)  kubelet, gke-production-default-pool-********-****  Error: ImagePullBackOff
  Normal   Pulling                2m (x3 over 3m)  kubelet, gke-production-default-pool-********-****  pulling image "eu.gcr.io/[My-Project]/services-identity:715bfffa"

I deploy via gitlab-ci with the following command line:

helm upgrade --install services-identity -f ./deploy/env/production-values.yml ./deploy/ --set image.tag=${CI_COMMIT_SHA:0:8} --namespace=production --wait

For information, I can pull the registry when this one is public, I can also pull the image locally via a docker login(using my gcloud account).

Thanks in advance for your advice.

-- Alexandre Cys
authentication
docker
gcloud
kubernetes
kubernetes-helm

Similar Questions

AWS kubectl: Unable to connect to the server: EOF
Jenkins Kubernetes Plugin Security Context
How to deploy a node.js with redis on kubernetes?
Unable to access external mongo server from a pod but able to connect from EC2 instance

2 Answers

10/29/2018

Thanks for your helpful response. On the similar issues you have shared, I have found a solution Use Least Privilege Service Accounts for your Nodes.

The problem is on the Cloud API access scopes level, I have recreated an InstanceGroup with the right scope:

The default scopes for the nodes in GKE are devstorage.read_only, logging.write, monitoring, service.management.readonly, servicecontrol, and trace.append. When setting scopes, these are specified as gke-default. If you are accessing private images in Google Container Registry, the minimally required scopes are only logging.write, monitoring, and devstorage.read_only.

-- Alexandre Cys
Source: StackOverflow
10/29/2018

This is very similar to this: What's the minimal permissions I need to configure for a GKE node pool to pull from a private GCR repo in the same project?, except that you are not mentioning that it's on GKE so I assume is on GCE.

You can use a json_key_file.

On all your nodes (assuming you are using Docker):

$ docker login -u _json_key --password-stdin https://gcr.io

Or the same json_key_file using ImagePullSecrets in the pod spec as described here.

Or you can use on all your Kubernetes nodes:

$ gcloud auth configure-docker
-- Rico
Source: StackOverflow