在另一个项目中使用GKE的Google Container Registry [英] Using Google Container Registry from GKE in another project

问题描述

GKE集群如何从另一个项目中托管的Container Registry中提取容器映像?

How can a GKE cluster pull container images from a Container Registry hosted in another project?

我在项目<reader-project>中有一个GKE集群，试图访问项目<registry-project>中的GCR图像.

I have a GKE cluster in project <reader-project> trying to access a GCR image in project <registry-project>.

我尝试将<reader-project>的GCE服务帐户电子邮件添加为具有<registry-project>的存储分区中具有读取器访问权限的用户，但是仍然出现错误:

I've tried adding the GCE service account email for <reader-project> as a User with Reader access on the storage bucket in <registry-project>, but I'm still getting the error:

<Error><Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>Caller does not have storage.objects.get access to object us.artifacts.<registry-project>.appspot.com/containers/images/sha256:<tag>.
</Details></Error>

推荐答案

尝试以具有存储对象查看器角色的用户身份添加GCE服务帐户电子邮件.它使服务帐户对项目中的GCS对象(容器映像)具有只读访问权限.

Try to add GCE service account email as a User with Storage Object Viewer role. It gives the service account Read-Only access to GCS objects(container images) in your project.

这篇关于在另一个项目中使用GKE的Google Container Registry的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！