ImagePullSecrets GCR

时间:2017-11-17 04:05:36

标签: kubernetes service-accounts minikube google-container-registry

我在deployment.yaml文件中使用ImagePullSecrets配置GCR时遇到问题。由于许可,它无法下载容器

Failed to pull image "us.gcr.io/optimal-jigsaw-185903/syncope-deb": rpc error: code = Unknown desc = Error response from daemon: denied: Permission denied for "latest" from request "/v2/optimal-jigsaw-185903/syncope-deb/manifests/latest".

我确信我做错了但我遵循了这个教程(和其他人一样),但仍然没有运气。

https://ryaneschinger.com/blog/using-google-container-registry-gcr-with-minikube/

pod日志同样没用:

"syncope-deb" in pod "syncope-deployment-64479cdcf5-cng57" is waiting to start: trying and failing to pull image

我的部署如下:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  # Unique key of the Deployment instance
  name: syncope-deployment
  namespace: default
spec:
  # 3 Pods should exist at all times.
  replicas: 1
  # Keep record of 2 revisions for rollback
  revisionHistoryLimit: 2
  template:
    metadata:
      labels:
        # Apply this label to pods and default
        # the Deployment label selector to this value
        app: syncope-deb
    spec:
      imagePullSecrets:
      - name: mykey
      containers:
      - name: syncope-deb
        # Run this image
        image: us.gcr.io/optimal-jigsaw-185903/syncope-deb
        ports:
        - containerPort: 9080

任何我在默认名称空间中都有一个名为“mykey”的密钥,它看起来像(编辑出安全数据):

{"https://gcr.io":{"username":"_json_key","password":"{\n  \"type\": \"service_account\",\n  \"project_id\": \"optimal-jigsaw-185903\",\n  \"private_key_id\": \"EDITED_TO_PROTECT_THE_INNOCENT\",\n  \"private_key\": \"-----BEGIN PRIVATE KEY-----\\EDITED_TO_PROTECT_THE_INNOCENT\\n-----END PRIVATE KEY-----\\n\",\n  \"client_email\": \"bobs-service@optimal-jigsaw-185903.iam.gserviceaccount.com\",\n  \"client_id\": \"109145305665697734423\",\n  \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n  \"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\n  \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n  \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/bobs-service%40optimal-jigsaw-185903.iam.gserviceaccount.com\"\n}","email":"redfalconinc@gmail.com","auth":"EDITED_TO_PROTECT_THE_INNOCENT"}}

我甚至用以下权限加载了该用户:

  • 编辑Cloud Container
  • Builder Cloud Container
  • 构建器编辑器服务
  • 帐户演员服务
  • 帐户管理存储
  • 管理存储对象
  • 管理存储对象创建程序
  • 存储对象查看器

任何帮助都会受到赞赏,因为我花了很多时间看似非常简单的问题。

1 个答案:

答案 0 :(得分:1)

此问题很可能是由您使用类型为constructor(public globalvar: GlobalvarService) { this.findMe = this.findMe.bind(this); } 的密钥并包含有效的dockerconfigjson引起的。 dockercfg命令在导致这一点的某个位置发生了更改。

可以检查标记为kubectldockercfg的内容,然后检查其是否有效dockerconfigjson

您提供的json是dockerconfigjson(不是新格式)

有关格式的信息,请参见https://github.com/kubernetes/kubernetes/issues/12626#issue-100691532

相关问题
最新问题