Menu
I am trying to configure my GKE cluster to pull from a private GCR repo in the same project. I am not using OAuth scopes but have associated a least privilege service account with the default node pool and provided it with the roles/storage.objectViewer permission.
However, I am still receiving the following when trying to access this image:
Failed to pull image "eu.gcr.io/<project>/<image>": rpc error: code = Unknown desc = Error response from daemon: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
Do I also need to configure imagePullSecrets or should the roles/storage.objectViewer permission be sufficient?
934
When you delete a node pool , GKE drains all the nodes in the node pool. The draining process involves GKE evicting Pods on each node in the node pool. Each node in a node pool is drained by evicting Pods with an allotted graceful termination period of MAX_POD.
Google Cloud services that typically access Container Registry are configured with default permissions to registries in the same Google Cloud project. If the default permissions don't meet your needs, you must configure the appropriate permissions.
This page explains how node pools work in Google Kubernetes Engine (GKE). To learn how to manage node pools, see Adding and managing node pools. A node pool is a group of nodes within a cluster that all have the same configuration.
You cannot grant permissions on repositories within a registry. If you need more granular access control, Artifact Registry provides repository-level access control and might better suit your needs.
The root cause of this issue was not setting access (OAuth) scopes on the cluster instances preventing the service account from working as intended.
From the GCP docs about Compute service accounts :
You must set access scopes on the instance to authorize access.
You cannot set only IAM roles on the service account and omit access scopes when creating the virtual machine instance. The level of access a service account has is determined by a combination of access scopes and IAM roles so you must configure both access scopes and IAM roles for the service account to work properly.
The minimal scopes required when accessing private images in GCR can be found here with the meaning of these scopes found here. A least privilege service account for the cluster nodes can then be created following the instructions here.
As described here an alternative would be to only grant the https://www.googleapis.com/auth/cloud-platform scope to the cluster nodes which authorises access to all Cloud Platform services and then limit access through IAM roles on node service accounts.
By configuring the cluster nodes as above, imagePullSecrets are not required for pulling private images from GCR in the same project.
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
