GKE-ErrImagePull从Google Container Registry中提取 [英] GKE - ErrImagePull pulling from Google Container Registry

问题描述

我有一个Google Kubernetes Engine集群，该集群直到最近一直很高兴地从Google Container Registry存储桶中提取私有容器映像.我没有做任何更改，但是现在当我更新Kubernetes部署时，它无法启动新的Pod，并且发生以下事件:

I have a Google Kubernetes Engine cluster which until recently was happily pulling private container images from a Google Container Registry bucket. I haven't changed anything, but now when I update my Kubernetes Deployments, it's unable to launch new pods, and I get the following events:

Normal   Pulling  14s                kubelet, <node-id>  pulling image "gcr.io/cloudsql-docker/gce-proxy:latest"
Normal   Pulling  14s                kubelet, <node-id>  pulling image "gcr.io/<project-id>/backend:62d634e"
Warning  Failed   14s                kubelet, <node-id>  Failed to pull image "gcr.io/<project-id>/backend:62d634e": rpc error: code = Unknown desc = unauthorized: authentication required
Warning  Failed   14s                kubelet, <node-id>  Error: ErrImagePull
Normal   Pulled   13s                kubelet, <node-id>  Successfully pulled image "gcr.io/cloudsql-docker/gce-proxy:latest"
Normal   Created  13s                kubelet, <node-id>  Created container
Normal   Started  13s                kubelet, <node-id>  Started container
Normal   BackOff  11s (x2 over 12s)  kubelet, <node-id>  Back-off pulling image "gcr.io/<project-id>/backend:62d634e"
Warning  Failed   11s (x2 over 12s)  kubelet, <node-id>  Error: ImagePullBackOff

我已经检查了以下内容，这些内容似乎都应该是应该的:

I've checked the following things, which all seem to be as they should:

• 这些容器及其标签确实存在，并且是正确的.
• GKE群集的节点池/VM实例具有storage-ro权限
• Google Container Registry存储桶和GKE群集位于同一项目中

• The containers and their tags actually exist, and are correct.
• The node pool / VM Instances for the GKE cluster have the storage-ro permission
• The Google Container Registry bucket and GKE cluster are in the same project

我还尝试了禁用和重新启用container.googleapis.com和containerregistry.googleapis.com服务，但这无济于事.

I've also tried disabling and re-enabling the container.googleapis.com and containerregistry.googleapis.com services, but that doesn't help.

关于容器注册表的Google文档规定:

The Google documentation for the Container Registry states:

Kubernetes Engine群集自动配置为可以访问 从同一项目中的Container Registry中提取私有映像. 您无需执行其他步骤即可配置身份验证 如果注册表和群集位于同一Cloud项目中.

Kubernetes Engine clusters are automatically configured with access to pull private images from the Container Registry in the same project. You do not need to follow additional steps to configure authentication if the registry and the cluster are in the same Cloud project.

但是事实并非如此.

任何人都可以进一步了解发生了什么吗?或尝试其他步骤?

Can anyone shed additional light on what might be going on? Or additional steps to try?

推荐答案

在我的情况下，问题出在最小规范文件生成的节点池缺少用于访问注册表的oauth2范围.添加

In my case, the issue turned out to be that the node pools generated by a minimal spec file are missing the oauth2 scopes that give access to the registry. Adding

nodePools:
  config:
    oauthScopes:
    - https://www.googleapis.com/auth/devstorage.read_only
    - https://www.googleapis.com/auth/servicecontrol
    - https://www.googleapis.com/auth/service.management.readonly
    - https://www.googleapis.com/auth/trace.append

根据我的规范修复了问题.我认为重要的是devstorage范围，但是我不确定，因为我只是从Web控制台生成的规范中复制并粘贴了整个范围列表.

to my spec fixed things. I think it's the devstorage scope that's the important one, but I'm not sure since I just copy-pasted the whole list of scopes from the spec the web console generates.

这篇关于GKE-ErrImagePull从Google Container Registry中提取的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！