Making sure GKE cluster has access to images

Cloud Google Cloud Platform
#1

I’m doing Sprint 5 of the GCP Devops course. I’ve corrected gke.yaml so that it references my project, but when cloudbuild tries to deploy the image to my cluster, I get an interesting error:

  Warning  Failed     28s (x3 over 67s)  kubelet            Failed to pull image "gcr.io/kodecloud-gcp-24472/gcpdevops@sha256:486b7617080e8ce12d0540231b5852fe328131d52c6beaf67e5e7d810790ccd2": rpc error: code = Unknown desc = failed to pull and unpack image "gcr.io/kodecloud-gcp-24472/gcpdevops@sha256:486b7617080e8ce12d0540231b5852fe328131d52c6beaf67e5e7d810790ccd2": failed to resolve reference "gcr.io/kodecloud-gcp-24472/gcpdevops@sha256:486b7617080e8ce12d0540231b5852fe328131d52c6beaf67e5e7d810790ccd2": pulling from host gcr.io failed with status code [manifests sha256:486b7617080e8ce12d0540231b5852fe328131d52c6beaf67e5e7d810790ccd2]: 401 Unauthorized
  Warning  Failed     28s (x3 over 67s)  kubelet            Error: ErrImagePull
  Normal   BackOff    5s (x4 over 66s)   kubelet            Back-off pulling image "gcr.io/kodecloud-gcp-24472/gcpdevops@sha256:486b7617080e8ce12d0540231b5852fe328131d52c6beaf67e5e7d810790ccd2"
  Warning  Failed     5s (x4 over 66s)   kubelet            Error: ImagePullBackOff

Note that the error seen at the K8s level is “401 Unauthorized”. Essentially, the cluster is not allowed to see my repository assets.

This appears to be a GCP permissions issue. How do I give my GKE cluster access to my other assets?

#2

May have figured this out. I used Terraform to create my cluster, and it turns out that the example code on the Hashicorp site does not include the correct oath permissions for the node cluster.. I’ve corrected the clause for creating GKE nodes as follows:

   oauth_scopes = [
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
      # https://stackoverflow.com/a/54622379/8600734
      "https://www.googleapis.com/auth/devstorage.read_only",
    ]

It’s the devstorage item that allows GKE to see the container registry in the same project.