ImagePullBackOff err while pulling docker image in different project in Google Cloud

baileigh

I am trying to pull a private image from Artifact Registry repo in Google Cloud from a kubernetes cluster running in a different Google Cloud project using kubectl.

kubernetes version 1.20.15-gke.1000 

The service account for the kubernetes has already been given artifactregistry.reader and storageobject.viewer permissions as the image is in a different project from the kubernetes service account

I apply the below yaml to the kubectl command.

kubectl apply -f proxy_with_workload_identity.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-app
spec:
  selector:
    matchLabels:
      app: app-project
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: app-project
    spec:
      containers:
        - env:
            - name: DB_USER
              valueFrom:
                secretKeyRef:
                  key: username
                  name: db-credentials
            - name: DB_PASS
              valueFrom:
                secretKeyRef:
                  key: password
                  name: db-credentials
            - name: DB_NAME
              value: postgres
          image: "us-central1-docker.pkg.dev/myproject/docker-repo/test-app:v1" 
          name: app-project
          ports:
            - containerPort: 9376
              protocol: TCP
        - command:
            - /cloud_sql_proxy 
            - "-instances=demo-dev:us-central1:1-sql-1=tcp:5432"
          image: "gcr.io/cloudsql-docker/gce-proxy:latest"
          name: cloud-sql-proxy
          resources:
            requests:
              cpu: 200m
              memory: 32Mi
          securityContext:
            runAsNonRoot: true
      serviceAccountName: testapp

The cloud-sql-proxy image is getting pulled and the container is running , but the image in the private-repository is not getting pulled "us-central1-docker.pkg.dev/myproject/docker-repo/test-app:v1"

when i check the pods i am shown this error:

carriann

It seems that you need to add a pull-secret in the same namespace (seems that you work with default)

Command:

kubectl create secret docker-registry  --docker-server= --docker-username= --docker-password= --docker-email=

Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

Then your manifest should look like

.....
    spec:
      imagePullSecrets:
        - name: 
      containers:
        - env:
......