Kubernetes Pod无法从容器注册表(gcp)中提取图像 [英] Kubernetes pods can't pull images from container registry (gcp)

问题描述

我想用一个存在于"eu.gcr.io"(相同项目)上的新映像来更新我在kubernetes上的部署，我之前已经做过.但是现在，吊舱无法拉动图像，因为它们无权这样做.这是我们在pod日志中得到的错误.

I want to update my deployment on kubernetes with a new image which exists on 'eu.gcr.io' (same project), I have done this before. But now the pods fail to pull the image because they are not authorized to do so. This is the error that we get in the pod logs.

Failed to pull image "eu.gcr.io/my-gcp-project/my-image:v1.009": 
rpc error: code = Unknown desc = Error response from daemon: 
unauthorized: You don't have the needed permissions to perform this operation,
and you may have invalid credentials.

集群上的服务帐户具有 kubernetes管理员和存储管理员角色，这些角色应为

The service account on the cluster has kubernetes admin and storage admin roles which should be sufficient. But even when I make the service account project editor (for debugging sake) it still doesn't work (same error).

我也尝试过创建一个新的新集群(默认设置)并在其中应用我的部署，但是然后我遇到了完全相同的问题.

I have also tried creating a fresh new cluster (default settings) and apply my deployment there, but then I got the exact same issue.

我不确定我可以尝试什么了.

I'm not sure what I can try anymore.

任何帮助或建议，我们将不胜感激.

Any help or suggestions are greatly appreciated.

我刚刚发现我仍然可以拉出并部署较旧的映像.但是，我构建的每个新映像都不能被kubernetes吊舱拉动.

I just found out that I can still pull and deploy older images. But every new image I build cannot be pulled by the kubernetes pods.

推荐答案

根据您的意愿

我刚刚发现我仍然可以拉出并部署较旧的映像.但是，我构建的每个新映像都不能被kubernetes吊舱拉动.

I just found out that I can still pull and deploy older images. But every new image I build cannot be pulled by the kubernetes pods.

我假设您可以通过命令拉docker映像，但不能通过kubectl拉动

I assume you can pull docker image by command, but not kubectl.

docker pull eu.gcr.io/my-gcp-project/my-image:v1.009 

因此，本文引用将Google Container Registry与Kubernetes结合使用，通过 docker pull 和 kubectl 提取docker映像之间的身份验证是不同的.

So reference by this article Using Google Container Registry with Kubernetes, the authenication is differnet between pull docker image by docker pull and kubectl .

您是否向GKE提供了访问令牌?

Did you give access token to GKE?

kubectl create secret docker-registry gcr-access-token \
--docker-server=eu.gcr.io \
--docker-username=oauth2accesstoken \
--docker-password="$(gcloud auth print-access-token)" \
--docker-email=any@valid.email

这篇关于Kubernetes Pod无法从容器注册表(gcp)中提取图像的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！