问题描述
我能够创建一个kubernetes集群,并且按照其中的步骤从GCR存储库中提取了私有映像。 https://cloud.google.com/container-registry/docs/advanced-authentication https://cloud.google.com/container-registry/docs/access-control
我无法从GCR提取图像。我已经使用了以下命令 gcloud身份验证登录 我已经认证了服务帐户。 本地计算机和gcr之间的连接。
下面是错误
$ kubectl describe pod test-service-55cc8f947d-5frkl
Name: test-service-55cc8f947d-5frkl
Namespace: default
Priority: 0
Node: gke-test-gke-clus-test-node-poo-c97a8611-91g2/10.128.0.7
Start Time: Mon,12 Oct 2020 10:01:55 +0530
Labels: app=test-service
pod-template-hash=55cc8f947d
tier=test-service
Annotations: kubernetes.io/limit-ranger: LimitRanger plugin set: cpu request for container test-service
Status: Pending
IP: 10.48.0.33
IPs:
IP: 10.48.0.33
Controlled By: replicaset/test-service-55cc8f947d
Containers:
test-service:
Container ID:
Image: gcr.io/test-256004/test-service:v2
Image ID:
Port: 8080/TCP
Host Port: 0/TCP
State: Waiting
Reason: ErrImagePull
Ready: False
Restart Count: 0
Requests:
cpu: 100m
Environment:
test_SERVICE_BUCKET: test-pt-prod
copY_FILES_DOCKER_IMAGE: gcr.io/test-256004/test-gcs-copy:latest
test_GCP_PROJECT: test-256004
PIXALATE_GCS_DATASET: test_pixalate
PIXALATE_BQ_TABLE: pixalate
APP_ADS_TXT_GCS_DATASET: test_appadstxt
APP_ADS_TXT_BQ_TABLE: appadstxt
Mounts:
/test/output from test-volume (rw)
/var/run/secrets/kubernetes.io/serviceaccount from default-token-6g7nl (ro)
Conditions:
Type Status
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
test-volume:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: test-pvc
ReadOnly: false
default-token-6g7nl:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-6g7nl
Optional: false
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
normal Scheduled 42s default-scheduler Successfully assigned default/test-service-55cc8f947d-5frkl to gke-test-gke-clus-test-node-poo-c97a8611-91g2
normal SuccessfulAttachVolume 38s attachdetach-controller AttachVolume.Attach succeeded for volume "pvc-25025b4c-2e89-4400-8e0e-335298632e74"
normal SandBoxChanged 31s kubelet,gke-test-gke-clus-test-node-poo-c97a8611-91g2 Pod sandBox changed,it will be killed and re-created.
normal Pulling 15s (x2 over 32s) kubelet,gke-test-gke-clus-test-node-poo-c97a8611-91g2 Pulling image "gcr.io/test-256004/test-service:v2"
Warning Failed 15s (x2 over 32s) kubelet,gke-test-gke-clus-test-node-poo-c97a8611-91g2 Failed to pull image "gcr.io/test-256004/test-service:v2": rpc error: code = UnkNown desc = Error response from daemon: pull access denied for gcr.io/test-256004/test-service,repository does not exist or may require 'docker login': denied: Permission denied for "v2" from request "/v2/test-256004/test-service/manifests/v2".
Warning Failed 15s (x2 over 32s) kubelet,gke-test-gke-clus-test-node-poo-c97a8611-91g2 Error: ErrImagePull
normal BackOff 3s (x4 over 29s) kubelet,gke-test-gke-clus-test-node-poo-c97a8611-91g2 Back-off pulling image "gcr.io/test-256004/test-service:v2"
Warning Failed 3s (x4 over 29s) kubelet,gke-test-gke-clus-test-node-poo-c97a8611-91g2 Error: ImagePullBackOff
解决方法
如果您不使用工作负载身份,则pod的默认服务帐户就是该节点之一,默认情况下,节点使用Compute Engine服务帐户。
确保为它授予访问GCR的正确权限。
如果您使用其他服务帐户,请授予其“存储对象读取器”角色(拉图像时,您将读取存储在Cloud Storage中的Blob(至少具有相同的权限))。
注意:即使这是默认服务帐户,我也不建议使用Compute Engine服务帐户来更改其角色。确实,这是项目编辑,这是很多责任。