Authentication methods using a JSON key file: unauthorized: GCR login failed

Question

Mostly addressed to: google-cloud-platform

Overall problem I am trying to solve is; to pull images from Google Container Registry from private Kubernetes.

Answer 1

You are missing the most important bit, you need to somehow grant a Kubernetes' default service account (the simplest approach) the permission to access your private container registry while pulling images. You do this in three steps:

1. Create and grant your GCP service account appropriate role in AIM (at least Storage Object Viewer) as explain here in official doc
2. Create kubernetes secret (of 'docker-registry' type) using downloaded JSON key for your GCP service account

kubectl create secret docker-registry my-private-gcr-readonly \
--docker-server=gcr.io \
--docker-username=_json_key \
--docker-password="$(cat /usr/local/home/demo/414141.json)" \
--docker-email=some@project-id.iam.gserviceaccount.com

3. Grant your default Kubernetes service account (your PODs are running under its security context by default) the right to pull Image from private GCR repo. This is done indirectly, by assigning it the secret for imagePull operation:

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "my-private-gcr-readonly"}]}'

That's it !

PS.

You can also check this tutorial, that explains both ways of accessing Google Container Registry from within Kubernetes cluster (using JSON Key or Access token)