使用JSON密钥文件的身份验证方法:未经授权:GCR登录失败 [英] Authentication methods using a JSON key file: unauthorized: GCR login failed
问题描述
主要发送给:google-cloud-platform
Mostly addressed to: google-cloud-platform
我要解决的总体问题是;从私有Kubernetes的Google容器注册表中提取图像.
Overall problem I am trying to solve is; to pull images from Google Container Registry from private Kubernetes.
更新如果附近有人遇到过这种情况,只需添加heptio-contour,因为Heptio的好人已经进一步创建了问题中提到的脚本-谢谢.
Update Just added heptio-contour if some one over there have come across this - as the good people at Heptio has created the script mentioned in the question further down - thanks.
First step is to just use the Service Account with a JSON key - as described here.
But when I run:
cat gcr-sa-key.json | docker login -u _json_key --password-stdin https://gcr.io
我应该能够登录docker,但是失败,并显示以下信息:
I should be able to login docker, but it fails with:
cat gcr-sa-key.json | docker login -u _json_key --password-stdin https://gcr.io
Error response from daemon: Get https://gcr.io/v2/: unauthorized: GCR login failed. You may have invalid credentials. To login successfully, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
Note: I got the gcr-sa-key.json file from running this - keep in mind that I am overall trying to use this from Kubernetes.
我希望这是Google的问题,但是/并且如果我确实按照Heptio的文档中的说明运行,则会得到:
I expect this to be a Google issue, but/and if I do run as described in the doc from Heptio I get:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 50s default-scheduler Successfully assigned default/<image-name>-deployment-v1-844568c768-5b2rt to my-cluster-digitalocean-1-7781
Normal Pulling 37s (x2 over 48s) kubelet, my-cluster-digitalocean-1-7781 pulling image "gcr.io/<project-name><image-name>:v1"
Warning Failed 37s (x2 over 48s) kubelet, my-cluster-digitalocean-1-7781 Failed to pull image "gcr.io/<project-name>/<image-name>:v1": rpc error: code = Unknown desc = Error response from daemon: pull access denied for gcr.io/<project-name>/<image-name>, repository does not exist or may require 'docker login'
Warning Failed 37s (x2 over 48s) kubelet, my-cluster-digitalocean-1-7781 Error: ErrImagePull
Normal SandboxChanged 31s (x7 over 47s) kubelet, my-cluster-digitalocean-1-7781 Pod sandbox changed, it will be killed and re-created.
Normal BackOff 29s (x6 over 45s) kubelet, my-cluster-digitalocean-1-7781 Back-off pulling image "gcr.io/<project-name>/<image-name>:v1"
Warning Failed 29s (x6 over 45s) kubelet, my-cluster-digitalocean-1-7781 Error: ImagePullBackOff
只是信息.可能相关,我在github上看到了此问题.
Just info. that might be related, I saw this issue on github.
推荐答案
您缺少最重要的一点,您需要以某种方式授予Kubernetes的默认服务帐户(最简单的方法)访问私有容器注册表的权限,拉图像.您可以通过三个步骤完成此操作:
You are missing the most important bit, you need to somehow grant a Kubernetes' default service account (the simplest approach) the permission to access your private container registry while pulling images. You do this in three steps:
- 按照说明此处在官方文档中
- 使用下载的JSON密钥为您的GCP服务帐户创建("docker-registry"类型的kubernetes机密)
- Create and grant your GCP service account appropriate role in AIM (at least Storage Object Viewer) as explain here in official doc
- Create kubernetes secret (of 'docker-registry' type) using downloaded JSON key for your GCP service account
kubectl create secret docker-registry my-private-gcr-readonly \
--docker-server=gcr.io \
--docker-username=_json_key \
--docker-password="$(cat /usr/local/home/demo/414141.json)" \
--docker-email=some@project-id.iam.gserviceaccount.com
- 授予您默认的Kubernetes服务帐户(默认情况下,您的POD在其安全性上下文下运行)有权从私有GCR存储库中提取图像.可以通过为它分配imagePull操作的秘密来间接完成此操作:
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "my-private-gcr-readonly"}]}'
就是这样!
PS.
您还可以查看本教程,解释了从Kubernetes集群中访问Google Container Registry的两种方法(使用JSON密钥或访问令牌)
You can also check this tutorial, that explains both ways of accessing Google Container Registry from within Kubernetes cluster (using JSON Key or Access token)
这篇关于使用JSON密钥文件的身份验证方法:未经授权:GCR登录失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
