集群不允许从容器注册表中拉取图像

Question

不允许集群从容器注册表中拉取映像，收到 401 并且 pods 无法运行 ImagePullBackOff。集群和注册表都属于同一个项目。

By default GKE nodes have permissions to pull images from Container Registry when the registry is in the same Google Cloud project as your nodes.

所以我真的迷路了。看来我搞砸了一些权限。我该如何解决这个问题？

$ kubectl describe pod <application>

[...]
Events:
  Type     Reason   Age                      From     Message
  ----     ------   ----                     ----     -------
  Normal   Pulling  17m (x43 over 3h33m)     kubelet  Pulling image "eu.gcr.io/<project>/<application>:d3...bc"
  Normal   BackOff  7m56s (x906 over 3h32m)  kubelet  Back-off pulling image "eu.gcr.io/<project>/<application>:d3...bc"
  Warning  Failed   2m57s (x928 over 3h32m)  kubelet  Error: ImagePullBackOff
  Warning  Failed   4m23s (x210 over 17h)   kubelet  Failed to pull image "eu.gcr.io/<project>/<application>:d3...bc": rpc error: code = Unknown desc = failed to pull and unpack image "eu.gcr.io/<project>/<application>:d3...bc": failed to resolve reference "eu.gcr.io/<project>/<application>:d3...bc": unexpected status code [manifests d3...bc]: 401 Unauthorized

Answer 1

缺少访问属性，但可以按照文档 Access control with IAM 的指示手动添加所需的访问权限。

这样，它就可以部署示例代码。从 GKE 到 GCR 的自动访问似乎不起作用。

Answer 2

很可能您的 SA 已被删除。

以下链接将帮助您恢复

https://cloud.google.com/iam/docs/creating-managing-service-accounts#undeleting https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts/undelete

但是请记住，您无法恢复已删除超过 30 天的 SA。

集群不允许从容器注册表中拉取图像

Cluster not allowed to pull images from container registry

kubernetes

google-cloud-platform

google-kubernetes-engine

google-container-registry