Reputation: 6669
DO Kubernetes Cluster + GCP Container Registry
I have a Kubernetes cluster in Digital Ocean, I want to pull the images from a private repository in GCP.
I tried to create a secret that make me able to to pull the images following this article https://blog.container-solutions.com/using-google-container-registry-with-kubernetes
Basically, these are the steps
- In the GCP account, create a service account key, with a JSON credential
- Execute
kubectl create secret docker-registry gcr-json-key \ --docker-server=gcr.io \ --docker-username=_json_key \ --docker-password="$(cat ~/json-key-file.json)" \ [email protected] - In the deployment yaml reference the secret
imagePullSecrets: - name: gcr-json-key
I don't understand why I am getting 403. If there are some restriccions to use the registry outside google cloud, or if I missed some configuration something.
Failed to pull image "gcr.io/myapp/backendnodeapi:latest": rpc error: code = Unknown desc = failed to pull and unpack image "gcr.io/myapp/backendnodeapi:latest": failed to resolve reference "gcr.io/myapp/backendnodeapi:latest": unexpected status code [manifests latest]: 403 Forbidden
Upvotes: 1
Views: 576
Answers (2)
Reputation: 928
Verify that you have enabled the Container Registry API, Installed Cloud SDK and Service account you are using for authentication has permissions to access Container Registry.
Docker requires privileged access to interact with registries. On Linux or Windows, add the user that you use to run Docker commands to the Docker security group. This documentation has details on prerequisites for container registry.
Note: Ensure that the version of kubectl is the latest version.
I tried replicating by following the document you provided and it worked at my end, So ensure that all the prerequisites are met.
Upvotes: 2
Reputation: 76569
That JSON string is not a password.
The documentation suggests to either activate the service account:
gcloud auth activate-service-account [USERNAME]@[PROJECT-ID].iam.gserviceaccount.com --key-file=~/service-account.json
Or add the configuration to $HOME/.docker/config.json
And then run docker-credential-gcr configure-docker.
Kubernetes seems to demand a service-account token secret
and this requires annotation kubernetes.io/service-account.name.
Also see Configure Service Accounts for Pods.
Upvotes: 1
Related Questions
- Deploying Container on GCP
- Pushing the Docker image to Container Registry
- Continuous deployment to Google Kubernetes Engine with google container registry
- Pulling a Google Container Registry container into Google Kubernetes Engine from another GCP project
- ImagePullSecrets GCR
- Using Google Container Registry from GKE in another project
- CI set up with Google Cloud build
- Searching the Google Container Registry
- Google Container Registry + Google Compute Engine + Docker
- how to use Google Container Registry