ImagePullBackOff err while pulling docker image in different project in Google Cloud



  • I am trying to pull a private image from Artifact Registry repo in Google Cloud from a kubernetes cluster running in a different Google Cloud project using kubectl.

    kubernetes version 1.20.15-gke.1000 
    

    The service account for the kubernetes has already been given artifactregistry.reader and storageobject.viewer permissions as the image is in a different project from the kubernetes service account

    I apply the below yaml to the kubectl command.

    kubectl apply -f proxy_with_workload_identity.yaml

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: test-app
    spec:
      selector:
        matchLabels:
          app: app-project
      strategy:
        rollingUpdate:
          maxSurge: 1
          maxUnavailable: 1
        type: RollingUpdate
      template:
        metadata:
          labels:
            app: app-project
        spec:
          containers:
            - env:
                - name: DB_USER
                  valueFrom:
                    secretKeyRef:
                      key: username
                      name: db-credentials
                - name: DB_PASS
                  valueFrom:
                    secretKeyRef:
                      key: password
                      name: db-credentials
                - name: DB_NAME
                  value: postgres
              image: "us-central1-docker.pkg.dev/myproject/docker-repo/test-app:v1" 
              name: app-project
              ports:
                - containerPort: 9376
                  protocol: TCP
            - command:
                - /cloud_sql_proxy 
                - "-instances=demo-dev:us-central1:1-sql-1=tcp:5432"
              image: "gcr.io/cloudsql-docker/gce-proxy:latest"
              name: cloud-sql-proxy
              resources:
                requests:
                  cpu: 200m
                  memory: 32Mi
              securityContext:
                runAsNonRoot: true
          serviceAccountName: testapp
    

    The cloud-sql-proxy image is getting pulled and the container is running , but the image in the private-repository is not getting pulled "us-central1-docker.pkg.dev/myproject/docker-repo/test-app:v1"

    when i check the pods i am shown this error:



  • It seems that you need to add a pull-secret in the same namespace (seems that you work with default)

    Command:

    kubectl create secret docker-registry  --docker-server= --docker-username= --docker-password= --docker-email=
    

    Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

    Then your manifest should look like

    .....
        spec:
          imagePullSecrets:
            - name: 
          containers:
            - env:
    ......
    



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2