Pull Docker image in GCR from GKE with custom service account

1
votes

On the Google Cloud Platform I have two projects, project-a and project-b

In project-a I have a Google Container Registry (GCR) and in project-b I have a private Google Kubernetes Engine (GKE) cluster (with Cloud NAT and Private Google Access). In project-b I have a custom service account which is used by the GKE cluster (configured that on creation of the cluster, instead of the default compute service account. Therefore, I also did not need to configure access scopes).

To be able to pull images from GCR in project-a, I granted the custom service account "Storage Object Viewer" permissions on the corresponding GCS bucket in project-a, according to the documentation.

However, I keep getting the error that GKE is unable to pull the image. The permissions on the bucket seem fine though: if I generate a key file for the custom service account, create a kubernetes.io/dockerconfigjson secret from it and use that secret as imagePullSecrets, then the node is able to pull the image.

My assumption was that creating this secret is not needed since the GKE-node uses the custom service account already. What is going wrong here?

2
google-kubernetes-enginegoogle-container-registry
Could you share exact error you are receiving?PjoterS
@PjoterS The error message is: Failed to pull image "eu.gcr.io/***/***:latest": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: cloud.google.com/container-registry/docs/…Peter
I think this issue related to IAM permissions. Have you followed link from error message?Serhii Rohoza

2 Answers

1
votes

I found the solution, it appeared I still had to configure access scopes (storage-read), even when I was using a custom service account. It was my assumption that when one uses a custom service account for the node pool, access scopes did not have to be configured; and that just allowing the custom SA Storage Object Viewer permissions on the GCR bucket would be sufficient.

0
votes

In official documentation there is nothing like that service account access to node.

Document: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

Just consider example each deployment might have different private repositories in that case if go with official document with suggested method is to create secret and use it.