在另一个项目中使用GKE的Google Container Registry [英] Using Google Container Registry from GKE in another project
问题描述
GKE集群如何从另一个项目中托管的Container Registry中提取容器映像?
How can a GKE cluster pull container images from a Container Registry hosted in another project?
我在项目<reader-project>
中有一个GKE集群,试图访问项目<registry-project>
中的GCR图像.
I have a GKE cluster in project <reader-project>
trying to access a GCR image in project <registry-project>
.
我尝试将<reader-project>
的GCE服务帐户电子邮件添加为具有<registry-project>
的存储分区中具有读取器访问权限的用户,但是仍然出现错误:
I've tried adding the GCE service account email for <reader-project>
as a User with Reader access on the storage bucket in <registry-project>
, but I'm still getting the error:
<Error><Code>AccessDenied</Code>
<Message>Access denied.</Message>
<Details>Caller does not have storage.objects.get access to object us.artifacts.<registry-project>.appspot.com/containers/images/sha256:<tag>.
</Details></Error>
推荐答案
尝试以具有存储对象查看器角色的用户身份添加GCE服务帐户电子邮件.它使服务帐户对项目中的GCS对象(容器映像)具有只读访问权限.
Try to add GCE service account email as a User with Storage Object Viewer role. It gives the service account Read-Only access to GCS objects(container images) in your project.
这篇关于在另一个项目中使用GKE的Google Container Registry的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!