使用 JSON 密钥文件的身份验证方法:未经授权:GCR 登录失败 [英] Authentication methods using a JSON key file: unauthorized: GCR login failed
问题描述
主要发送至:google-cloud-platform
Mostly addressed to: google-cloud-platform
我试图解决的总体问题是;从私有 Kubernetes 的 Google Container Registry 中提取映像.
Overall problem I am trying to solve is; to pull images from Google Container Registry from private Kubernetes.
更新如果有人遇到过这个问题,就添加了 heptio-contour - 因为 Heptio 的好人已经创建了问题中提到的脚本,谢谢.
Update Just added heptio-contour if some one over there have come across this - as the good people at Heptio has created the script mentioned in the question further down - thanks.
第一步是仅使用带有 JSON 密钥的服务帐户 - 如此处.
但是当我跑步时:
First step is to just use the Service Account with a JSON key - as described here.
But when I run:
cat gcr-sa-key.json | docker login -u _json_key --password-stdin https://gcr.io
我应该能够登录 docker,但它失败了:
I should be able to login docker, but it fails with:
cat gcr-sa-key.json | docker login -u _json_key --password-stdin https://gcr.io
Error response from daemon: Get https://gcr.io/v2/: unauthorized: GCR login failed. You may have invalid credentials. To login successfully, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication
注意:我通过运行 this - 请记住,我总体上尝试从 Kubernetes 使用它.
Note: I got the gcr-sa-key.json
file from running this - keep in mind that I am overall trying to use this from Kubernetes.
我希望这是 Google 的问题,但是/并且如果我按照 Heptio 的文档中的描述运行,我会得到:
I expect this to be a Google issue, but/and if I do run as described in the doc from Heptio I get:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 50s default-scheduler Successfully assigned default/<image-name>-deployment-v1-844568c768-5b2rt to my-cluster-digitalocean-1-7781
Normal Pulling 37s (x2 over 48s) kubelet, my-cluster-digitalocean-1-7781 pulling image "gcr.io/<project-name><image-name>:v1"
Warning Failed 37s (x2 over 48s) kubelet, my-cluster-digitalocean-1-7781 Failed to pull image "gcr.io/<project-name>/<image-name>:v1": rpc error: code = Unknown desc = Error response from daemon: pull access denied for gcr.io/<project-name>/<image-name>, repository does not exist or may require 'docker login'
Warning Failed 37s (x2 over 48s) kubelet, my-cluster-digitalocean-1-7781 Error: ErrImagePull
Normal SandboxChanged 31s (x7 over 47s) kubelet, my-cluster-digitalocean-1-7781 Pod sandbox changed, it will be killed and re-created.
Normal BackOff 29s (x6 over 45s) kubelet, my-cluster-digitalocean-1-7781 Back-off pulling image "gcr.io/<project-name>/<image-name>:v1"
Warning Failed 29s (x6 over 45s) kubelet, my-cluster-digitalocean-1-7781 Error: ImagePullBackOff
只是信息.这可能是相关的,我在 github 上看到了 this 问题.
Just info. that might be related, I saw this issue on github.
推荐答案
您错过了最重要的一点,您需要以某种方式授予 Kubernetes 的默认服务帐户(最简单的方法)访问您的私有容器注册表的权限,同时拉图像.您分三步完成此操作:
You are missing the most important bit, you need to somehow grant a Kubernetes' default service account (the simplest approach) the permission to access your private container registry while pulling images. You do this in three steps:
- 按照说明在 AIM(至少是存储对象查看器)中创建并授予您的 GCP 服务帐户适当的角色 此处在官方文档中
- 使用下载的 JSON 密钥为您的 GCP 服务帐户创建 kubernetes 密钥(docker-registry"类型)
kubectl create secret docker-registry my-private-gcr-readonly
--docker-server=gcr.io
--docker-username=_json_key
--docker-password="$(cat /usr/local/home/demo/414141.json)"
--docker-email=some@project-id.iam.gserviceaccount.com
- 授予您的默认 Kubernetes 服务帐户(默认情况下,您的 POD 在其安全上下文下运行)从私有 GCR 存储库中提取图像的权利.这是通过为 imagePull 操作分配秘密来间接完成的:
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "my-private-gcr-readonly"}]}'
就是这样!
附注.
您还可以查看本教程,即解释了在 Kubernetes 集群中访问 Google Container Registry 的两种方式(使用 JSON Key 或 Access token)
You can also check this tutorial, that explains both ways of accessing Google Container Registry from within Kubernetes cluster (using JSON Key or Access token)
这篇关于使用 JSON 密钥文件的身份验证方法:未经授权:GCR 登录失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!