I want to deploy an the nginx-ingress-controller image (https://github.com/kubernetes/ingress-nginx) in my private GKE cluster but I can't pull the image since it's on quay.io's registry. How can I pull a public image that's not on GCR or the GCR Dockerhub mirror?
I thought about pulling it and uploading to my own GCR registry, but then I have to maintain updating it. Is there a way to keep a private mirror of just that image?
The answer provided by Andrew Ridout looks like the most appropriate one. Another way to go could be creating a private local registry and some automation script to keep your images up to date from quay.io.
See also this for configuring your GKE cluster to use your private local registry.
Nodes in a private GKE cluster do not have external IPs and are unable to egress to the internet by default which is why the cluster can't pull images from non-GCR registries.
To allow internet egress you need to enable Cloud NAT in the same project as your GKE cluster.
gcloud compute routers create nat-router \
--network custom-network1 \
--region us-central1
gcloud compute routers nats create nat-config \
--router-region us-central1 \
--router nat-router \
--nat-all-subnet-ip-ranges \
--auto-allocate-nat-external-ips
See https://cloud.google.com/nat/docs/gke-example#step_6_create_a_nat_configuration_using for more details.