minikube 插件配置 registry-creds 不适用于 GCR

minikube addons configure registry-creds not working for GCR

我按照docs配置了这个,它说它成功了:

创建了一个新集群

minikube start -p aged --kubernetes-version=v1.18.10

然后设置 GCR 凭据

minikube addons configure registry-creds -p aged

Do you want to enable AWS Elastic Container Registry? [y/n]: n

Do you want to enable Google Container Registry? [y/n]: y
-- Enter path to credentials (e.g. /home/user/.config/gcloud/application_default_credentials.json):/Users/meeee/.config/gcloud/application_default_credentials.json
-- Do you want to change the GCR URL (Default https://gcr.io)? [y/n]: n

Do you want to enable Docker Registry? [y/n]: n

Do you want to enable Azure Container Registry? [y/n]: n
✅  registry-creds was successfully configured

# enable
minikube addons enable registry-creds -p aged
    ▪ Using image upmcenterprises/registry-creds:1.10

但是当我部署时出现这个错误:

Failed to pull image "gcr.io/myproject/myimages/myimage:test": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication

虽然它没有提到对 GCR 进行身份验证,但我也配置了 minikube addons enable gcp-auth

ADC文件是否存在?

/home/user/.config/gcloud/application_default_credentials.json):/Users/meeee/.config/gcloud/application_default_credentials.json

如果没有,您需要事先gcloud auth application-default login

并且,假设该机制在您的命名空间中创建了一个 Secret,您仍然需要使用 imagePullSecrets

这种方法很老套,您最好创建一个专门用于 GCR 访问的服务帐户。

以这种方式将您的用户帐户用作服务帐户,共享您用户帐户的所有权限,只要 role/storage.admin 从 GCR 中提取即可。此外,用户帐户可能绑定到多个项目,而帐户只需要访问特定项目(最好是存储桶)。