GKE群集无法从同一项目(GitLab Kubernetes集成)中的GCR注册表中提取(ErrImagePull):为什么? [英] GKE Cluster can't pull (ErrImagePull) from GCR Registry in same project (GitLab Kubernetes Integration): Why?
问题描述
因此,在谷歌搜索了一下之后(有人对Pull Secrets有麻烦,这被污染了),我将其发布到这里-并发送到GCP支持(据我所知将更新).
So after googling a little bit (which is polluted by people having trouble with Pull Secrets) I am posting this here — and to GCP Support (will update as I hear).
我通过GitLab Kubernetes集成创建了一个集群(文档: https://about.gitlab.com/solutions /kubernetes )与我的GCR注册表/图像位于同一项目中.
I created a Cluster from GitLab Kubernetes integration (docs: https://about.gitlab.com/solutions/kubernetes) within the same project as my GCR registry / images.
当我使用Kubectl(依赖于该项目中GCR注册表中的私有映像)向该集群添加新服务/部署时,GitLab创建的集群中的pod不能通过ErrImagePull从GCR中提取.
When I add a new service / deployment to this Cluster using Kubectl (which relies on a private image within the GCR Registry in this project) the pods in the GitLab created cluster fail to pull from GCR with: ErrImagePull.
要明确-我不是从GitLab私有注册表中提取,而是尝试从与从GitLab创建的GKE群集相同的项目中的GCR注册表中提取(该消息不需要"Pull Secret").
To be clear — I am NOT pulling from a GitLab private registry, I am attempting to pull from a GCR Registry within the same project as the GKE cluster created from GitLab (which should not require a Pull Secret).
该项目中的其他群集(通过GCP控制台创建)可以正确访问同一图像,因此我的想法是,通过API(在本例中为GitLab)创建的群集与通过GCP控制台创建的群集之间存在一些差异.
Other Clusters (created from GCP console) within this project can properly access the same image so my thinking is that there is some difference between Clusters created via an API (in this case from GitLab) vs Clusters created from the GCP console.
我希望过去有人遇到过这种情况-或可以解释可能导致问题的服务帐户等方面的差异.
I am hoping someone has run into this in the past — or can explain the differences in the Service Accounts etc that could be causing the problem.
我将尝试创建一个服务帐户,并手动为其授予Project Viewer角色,以查看是否可以解决问题.
I am going to attempt to create a service account and manually grant it Project Viewer role to see if that solves the problem.
更新:手动配置的服务帐户无法解决问题.
Update: manually configured Service Account did not solve issue.
注意:我试图将映像拉入群集,而不是拉入在群集上运行的GitLab Runner中. IE.我希望在我的GitLab基础架构旁边运行单独的服务/部署.
推荐答案
TL; DR-由GitLab-Ci Kubernetes Integration创建的群集无法在与容器映像相同的项目中从GCR注册表中提取映像,而无需修改节点权限(范围).
TL;DR — Clusters created by GitLab-Ci Kubernetes Integration will not be able to pull an image from a GCR Registry in the same project as the container images — without modifying the Node(s) permissions (scopes).
默认情况下,由GitLab-Ci的Kubernetes集成创建的群集创建的群集节点的创建对Google Cloud服务具有最小的权限(范围).
By default the Cluster Nodes created by a Cluster which was itself created by GitLab-Ci's Kubernetes Integration are created with minimal permissions (scopes) to Google Cloud services.
您可以从GCP控制台仪表板的群集中直观地看到此内容,向下滚动到权限部分,然后查找存储":
You can see this visually from the GCP console dashboard for your cluster, scroll down to the permissions section and look for "Storage":
从本质上讲,这意味着您在GitLab-Ci Kubernetes集成集群中运行的节点将不具有从GCR注册表中提取映像所需的默认GCR注册表(只读)权限.
This essentially means that the Node(s) running within your GitLab-Ci Kubernetes integration cluster WILL NOT have the default GCR Registry (read-only) permissions necessary to pull an image from a GCR Registry.
这也意味着(据我所知),即使您授予了服务帐户对GCR注册表的适当访问权限,也仍然无法正常工作-不能完全确定我正确设置了服务帐户,但我相信我做到了.
It also means (as far as I can tell) that even if you grant a Service Account proper access to the GCR Registry it still will not work — not totally sure I set my Service Account up properly but I believe I did.
太好了.
基本上,您有两个选择.第一个是创建一个集群(即在GitLab Kubernetes集成之外),然后按照手册连接到现有集群"中的说明进行操作,将您的GitLab项目重新连接到THAT集群: https://gitlab.com/help/user/project/clusters /index#adding-an-existing-kubernetes-cluster
Basically you have two options. The first one is to create a Cluster (ie. outside of GitLab Kubernetes Integration) and then re-connect your GitLab project to THAT Cluster by following the manual 'connect to an existing Cluster' directions that can be found here: https://gitlab.com/help/user/project/clusters/index#adding-an-existing-kubernetes-cluster
第二个选项是修改您的权限,但这更加复杂.
The second option is to modify your permissions but that is more complicated.
这篇关于GKE群集无法从同一项目(GitLab Kubernetes集成)中的GCR注册表中提取(ErrImagePull):为什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
