K
Q

Kubernetes pods can't pull images from container registry (gcp)

3/2/2019

I want to update my deployment on kubernetes with a new image which exists on 'eu.gcr.io' (same project), I have done this before. But now the pods fail to pull the image because they are not authorized to do so. This is the error that we get in the pod logs.

Failed to pull image "eu.gcr.io/my-gcp-project/my-image:v1.009": 
rpc error: code = Unknown desc = Error response from daemon: 
unauthorized: You don't have the needed permissions to perform this operation,
and you may have invalid credentials.

The service account on the cluster has kubernetes admin and storage admin roles which should be sufficient. But even when I make the service account project editor (for debugging sake) it still doesn't work (same error).

I have also tried creating a fresh new cluster (default settings) and apply my deployment there, but then I got the exact same issue.

I'm not sure what I can try anymore.

Any help or suggestions are greatly appreciated.

EDIT:

I just found out that I can still pull and deploy older images. But every new image I build cannot be pulled by the kubernetes pods.

-- Georges Lorré
google-cloud-platform
google-container-registry
google-iam
google-kubernetes-engine
kubernetes

Similar Questions

Can't connect elasticsearch and kibana on kubernetes single mode
Following Kubernetes using Katacoda
k8s-ingress to make the application secured with https
How to create the dependency for a pod to come up after Pod secret comes up

2 Answers

3/5/2019

According to your desciption

I just found out that I can still pull and deploy older images. But every new image I build cannot be pulled by the kubernetes pods.

I assume you can pull docker image by command, but not kubectl.

docker pull eu.gcr.io/my-gcp-project/my-image:v1.009

So reference by this article Using Google Container Registry with Kubernetes, the authenication is differnet between pull docker image by docker pull and kubectl .

Did you give access token to GKE?

kubectl create secret docker-registry gcr-access-token \
--docker-server=eu.gcr.io \
--docker-username=oauth2accesstoken \
--docker-password="$(gcloud auth print-access-token)" \
--docker-email=any@valid.email
-- howie
Source: StackOverflow
3/2/2019

You will need to create a docker-registry secret and use imagePullSecrets in you pod definition:

kubectl create secret docker-registry regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: <your-private-image>
  imagePullSecrets:
  - name: regcred

see this guide for more information

-- Amityo
Source: StackOverflow