Access non-gcr public container registry from private GKE cluster

8/26/2019

I want to deploy an the nginx-ingress-controller image (https://github.com/kubernetes/ingress-nginx) in my private GKE cluster but I can't pull the image since it's on quay.io's registry. How can I pull a public image that's not on GCR or the GCR Dockerhub mirror?

I thought about pulling it and uploading to my own GCR registry, but then I have to maintain updating it. Is there a way to keep a private mirror of just that image?

-- swigganicks
docker
google-cloud-platform
google-kubernetes-engine

2 Answers

8/27/2019

The answer provided by Andrew Ridout looks like the most appropriate one. Another way to go could be creating a private local registry and some automation script to keep your images up to date from quay.io.

See also this for configuring your GKE cluster to use your private local registry.

-- Alex6Zam
Source: StackOverflow

8/26/2019

Nodes in a private GKE cluster do not have external IPs and are unable to egress to the internet by default which is why the cluster can't pull images from non-GCR registries.

To allow internet egress you need to enable Cloud NAT in the same project as your GKE cluster.

gcloud compute routers create nat-router \
    --network custom-network1 \
    --region us-central1

gcloud compute routers nats create nat-config \
    --router-region us-central1 \
    --router nat-router \
    --nat-all-subnet-ip-ranges \
    --auto-allocate-nat-external-ips

See https://cloud.google.com/nat/docs/gke-example#step_6_create_a_nat_configuration_using for more details.

-- Andrew Ridout
Source: StackOverflow