Pulling images from private google container registry with kubeflow on minikube

12/17/2019

We are having trouble giving a container within a pipeline uploaded to Kubeflow access to a private custom docker image stored in a google container registry. We are running kubeflow on top of a kubernetes cluster run on minikube. Can someone help us understand how to add the access token/service account to the Kubeflow deployment? We have read a couple of docs that achieve this on a custom Kubernetes deployment but not on a Kubeflow deployment.

The error we get when running the pipeline on Kubeflow is: This step is in Pending state with this message: ImagePullBackOff: Back-off pulling image

This is the pipeline code that calls the image. enter image description here

Thank you!!

-- Federico K
google-cloud-repository
kubeflow
kubeflow-pipelines
kubernetes
minikube

1 Answer

12/27/2019

This is issues can occur in some scenarios like:

  • Your kubeflow setup (Kubernetes cluster) and GCR are in different project

  • No GCR secret for the ml-pipeline service account which is responsible to run the pipeline. (you can see this kubectl --namespace=kubeflow get serviceaccount)

In your case, I think it is the second scenario. Though the following path will work on both scenarios.

  1. Create service_account.json with sufficient permission (GCR needs storage permission so give 'Storage admin') using the GCP console
Select “API & Services” > “Credentials”SelectCreate credentials” > “Services Account Key” > “Create New Services Account
  1. Add a Kubernetes Secret in Kubernetes Cluster to access GCR
kubectl create secret docker-registry $SECRETNAME \       
--docker-server=https://gcr.io \                          
--docker-username=_json_key \                             
--docker-email=user@example.com \                          
--docker-password="$(cat ./service_account.json.json)"
#username should be _json_key
  • Above method is for default service account. But patch this in Kufelow namespace
kubectl --namespace=kubeflow create secret docker-registry $SECRETNAME \  
--docker-server=https://gcr.io \                          
--docker-username=_json_key \                             
--docker-email=user@example.com \                          
--docker-password="$(cat ./service_account.json.json)"
#username should be _json_key
  1. Patching GCR secret with respective service account
# For Kubeflow specific problem path pipeline-runner serviceaccount
kubectl --namespace=kubeflow patch serviceaccount pipeline-runner -p '{"imagePullSecrets": [{"name": "$SECRETNAME"}]}'
-- Akash Desarda
Source: StackOverflow