1

I am trying to use an image from a private repository of project A from a k8s cluster in project B. I have provided 'Compute Image user' role to both 'Google APIs Service Agent' account and 'Compute Engine default service' account of project B from project A's IAM. Still when I try to create a deployment using an image in this private repository I get image pull errors. what could be the issue here?

peter
  • 13
  • 2

1 Answers1

1

The "Compute Image user" role is for GCE (Google Compute Engine) and does not extend to GCR (Google Container Repository).

For GCR read access, you need to add Storage Read access, as GCR is effectively a proxy for images stored in GCS (Google Cloud Storage).

Craig Watson
  • 9,575
  • 3
  • 32
  • 47
  • yes that did the trick. I wasted half a day because google official documentation does not seem to mention this requirement. Thank you. – peter Apr 07 '21 at 12:24
  • @peter The issue is your misunderstanding of different versions of the term "image" - in Google terms, "image" strictly refers to GCE images and not GCR images. Easily done, but Google's documentation does mention the GCS requirement for Container Registry: "Container Registry uses Cloud Storage buckets as the underlying storage for container images. You control access to your images by granting permissions to the bucket for a registry." - source: https://cloud.google.com/container-registry/docs/access-control – Craig Watson Apr 07 '21 at 12:37
  • I was following this guide which specifically gives instructions on how to use an image from a different GCP project and I could not find the storage permission there. https://cloud.google.com/deployment-manager/docs/configuration/using-images-from-other-projects-for-vm-instances – peter Apr 08 '21 at 04:49
  • @peter The difference is the misunderstanding of the word "image" - the key is in the first sentence of the documentation you linked to (emphasis added by me): "This page describes how to configure your project so that Deployment Manager can create **Compute Engine** virtual machine instances using operating system images that belong to another project." Compute Engine uses different images to Container Repository, so the two terms are not interchangeable. A GCE image is a totally different resource to a Docker (K8S) image which is held in GCR. – Craig Watson Apr 08 '21 at 13:28
  • I see it now! thank you. – peter Apr 09 '21 at 04:15
  • Hello @peter, if you think that Craig answer helped you, please consider accepting it (✔️). I'd really appreciate it and please follow [what should I do when someone answers your question](https://stackoverflow.com/help/someone-answers). Have a great day, thanks! – Jyothi Kiranmayi Nov 24 '21 at 08:13
  • This is the Storage Object Viewer role, right? Granted to the service account the VM will run as? – hallvors Feb 01 '22 at 15:07