Reputation: 21
Cannot pull image from registry issue in kubernetes pod
I am facing issue while pulling image from artifact registry to kubernetes pod.
I have created repository in artifact registry and i have pushed docker image with tag.
While i am trying to deploy images in kubernetes i am facing issue ErrImagePull issue.
I have tried to execute command below
gcloud describe pod {podname}
In events i am seeing below issue
Failed to pull image: rpc error: failed to resolve image: unexpected status: 403 Forbidden
Cluster pod using default service account. And i tried to provide artifact reader permission to default service account in gcp console.
But not working. Can anyone help me ?
Thanks in advance.
Upvotes: 0
Views: 1323
Answers (2)
Reputation: 1649
First setup gcloud CLI in your machine and authenticate to your project in GCP using gcloud.
gcloud auth login
gcloud auth activate-service-account ACCOUNT --key-file=KEY-FILE
gcloud auth activate-service-account <svc-accnt-email> --key-file=serviceaccount.json
gcloud auth configure-docker
When you are trying to configure a private repository, you need to configure an imagePullSecret in your pod/deployment. GKE doesnot directly authenticate to GCR using service account, you need to configure a imagePullSecret
kubectl create secret docker-registry gcr-auth-secret --docker-server=https://gcr.io --docker-username=oauth2accesstoken --docker-password=$(gcloud auth configure-docker) --docker-email=<service-account-email> --docker-server=us.gcr.io
This will create a secret in default namespace. Based your namepsace, you can add -n <namespace> to create secret in your namespace. You can get the value of secret using below command
kubectl get secret gcr-auth-secret -n <namespace> -o yaml
Now, you need to configure your pod/deployment to use this secret to authenticate to GCE. You can do this by adding the below in your yaml
containers:
- name: <cont_name>
image: <image>:<tag>
imagePullSecrets:
- name: gcr-auth-secret
Upvotes: 0
Reputation: 460
the first step is to validate the Service Account attached to the node pool of the GKE --> https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform?_ga=2.108247426.-1476124671.1589389489
That service account needs this role --> Artifact Registry Reader roles/artifactregistry.reader.
Lastly, validate the url of the image in the deployment.yaml -->
--image=LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG
Upvotes: 0
Related Questions
- Unable to pull Artifact Registry private images in newly created GKE cluster
- 401 Unauthorized error while trying to pull image from Google Container Registry
- Unable to pull docker image from local registry for Kubernetes deployment
- Kubernetes pods can't pull images from container registry (gcp)
- Kubernetes Cannot pull image from Artifactory
- Image pulling issue on Kubernetes from private repository
- Pod cannot pull image from private docker registry
- Unable to pull docker image into Kubernetes Pod from Google Container Registry
- Unable to pull image from gcr.io
- kubernetes not able to pull images from private docker registry