GKE pulling images from a private repository inside GCP

2/15/2021

I've set up a private container registry that it is integrated with bitbucket successfully. However, I am not able to pull the images from my GKE Cluster.

I created a service account with the role "Project Viewer", and a json key for this account. Then I created the secret in the cluster/namespace running

kubectl create secret docker-registry gcr-json-key \
 --docker-server=gcr.io \
 --docker-username=_json_key \
 --docker-password="$(cat ~/code/bitbucket/miappsrl/miappnodeapi/secrets/registry/miapp-staging-e94050365be1.json)" \
 --docker-email=agusmiappgcp@gmail.com

And in the deployment file I added

...
      imagePullSecrets:
    - name: gcr-json-key
...

But when I apply the deployment I get

 ImagePullBackOff

And when I do a kubectl describe pod <pod_name> I see

Failed to pull image "gcr.io/miapp-staging/miappnodeapi": rpc error: code = Unknown desc = Error response from daemon: Get https://gcr.io/v2/: dial tcp: lookup gcr.io on 169.254.169.254:53: no such host

I can't realize what I am missing, I understand it can resolve the dns inside the cluster, but not sure what I should add

-- agusgambina
google-container-registry
google-kubernetes-engine
kubernetes

1 Answer

2/19/2021

If a GKE Cluster is setup as private you need to setup the DNS to reach container Registry, from documentation:

To support GKE private clusters that use Container Registry or Artifact Registry inside a service perimeter, you first need to configure your DNS server so requests to registry addresses resolve to restricted.googleapis.com, the restricted VIP. You can do so using Cloud DNS private DNS zones.

Verify if you setup your cluster as private.

-- David C
Source: StackOverflow