Cluster not allowed to pull images from container registry

Question

The cluster is not allowed to pull images from container registry, 401 is received and pods fail to run with ImagePullBackOff. Both the cluster and the registry belong to the same project.

From the documentation:

By default GKE nodes have permissions to pull images from Container Registry when the registry is in the same Google Cloud project as your nodes.

so I'm really lost here. It seems I messed up some permissions. How can I fix this?

$ kubectl describe pod <application>

[...]
Events:
  Type     Reason   Age                      From     Message
  ----     ------   ----                     ----     -------
  Normal   Pulling  17m (x43 over 3h33m)     kubelet  Pulling image "eu.gcr.io/<project>/<application>:d3...bc"
  Normal   BackOff  7m56s (x906 over 3h32m)  kubelet  Back-off pulling image "eu.gcr.io/<project>/<application>:d3...bc"
  Warning  Failed   2m57s (x928 over 3h32m)  kubelet  Error: ImagePullBackOff
  Warning  Failed   4m23s (x210 over 17h)   kubelet  Failed to pull image "eu.gcr.io/<project>/<application>:d3...bc": rpc error: code = Unknown desc = failed to pull and unpack image "eu.gcr.io/<project>/<application>:d3...bc": failed to resolve reference "eu.gcr.io/<project>/<application>:d3...bc": unexpected status code [manifests d3...bc]: 401 Unauthorized

Answer 1

Most likely your SA has been deleted.

The following links will help you recover

https://cloud.google.com/iam/docs/creating-managing-service-accounts#undeleting https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/undelete

However keep in mind you cannot recover a SA that has been delete for more than 30 days.

Answer 2

An access attribute is missing, but the required access can be manually added as the documentation Access control with IAM indicates.

That way, it allows the sample code to deploy. It looks like the automatic access from GKE to GCR didn't work.