ImagePullSecrets GCR

Question

我在deployment.yaml文件中使用ImagePullSecrets配置GCR时遇到问题.由于许可,它无法下载容器

Failed to pull image "us.gcr.io/optimal-jigsaw-185903/syncope-deb": rpc error: code = Unknown desc = Error response from daemon: denied: Permission denied for "latest" from request "/v2/optimal-jigsaw-185903/syncope-deb/manifests/latest".

我确信我做错了但我遵循了这个教程(和其他人一样),但仍然没有运气.

https://ryaneschinger.com/blog/using-google-container-registry-gcr-with-minikube/

pod日志同样没用:

"syncope-deb" in pod "syncope-deployment-64479cdcf5-cng57" is waiting to start: trying and failing to pull image

我的部署如下:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  # Unique key of the Deployment instance
  name: syncope-deployment
  namespace: default
spec:
  # 3 Pods should exist at all times.
  replicas: 1
  # Keep record of 2 revisions for rollback
  revisionHistoryLimit: 2
  template:
    metadata:
      labels:
        # Apply this label to pods and default
        # the Deployment label selector to this value
        app: syncope-deb
    spec:
      imagePullSecrets:
      - name: mykey
      containers:
      - name: syncope-deb
        # Run this image
        image: us.gcr.io/optimal-jigsaw-185903/syncope-deb
        ports:
        - containerPort: 9080

任何我在我的默认命名空间中都有一个名为"mykey"的密钥(编辑出安全数据):

{"https://gcr.io":{"username":"_json_key","password":"{\n  \"type\": \"service_account\",\n  \"project_id\": \"optimal-jigsaw-185903\",\n  \"private_key_id\": \"EDITED_TO_PROTECT_THE_INNOCENT\",\n  \"private_key\": \"-----BEGIN PRIVATE KEY-----\\EDITED_TO_PROTECT_THE_INNOCENT\\n-----END PRIVATE KEY-----\\n\",\n  \"client_email\": \"bobs-service@optimal-jigsaw-185903.iam.gserviceaccount.com\",\n  \"client_id\": \"109145305665697734423\",\n  \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n  \"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\n  \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n  \"client_x509_cert_url\": \"https://www.googleapis.com/robot/v1/metadata/x509/bobs-service%40optimal-jigsaw-185903.iam.gserviceaccount.com\"\n}","email":"redfalconinc@gmail.com","auth":"EDITED_TO_PROTECT_THE_INNOCENT"}}

我甚至用以下权限加载了该用户:

• 编辑云容器
• 生成器云容器
• Builder Editor服务
• 帐户演员服务
• 帐户管理存储
• 管理存储对象
• 管理存储对象创建器
• 存储对象查看器

任何帮助都会受到赞赏,因为我花了很多时间看似非常简单的问题.

Answer 1

该问题很可能是由于您使用类型的机密并且其中dockerconfigjson有效而引起的。dockercfg命令kubectl在某个时刻发生了变化，导致了这种情况。

您可以检查它被标记为dockercfg或 的内容dockerconfigjson，然后检查它是否有效dockerconfigjson。

您提供的 json 是dockercfg（不是新格式）

有关格式的信息，请参阅https://github.com/kubernetes/kubernetes/issues/12626#issue-100691532