I am trying to pull a private image from Artifact Registry repo in Google Cloud from a kubernetes cluster running in a different Google Cloud project using kubectl.
kubernetes version 1.20.15-gke.1000
The service account for the kubernetes has already been given artifactregistry.reader and storageobject.viewer permissions as the image is in a different project from the kubernetes service account
I apply the below yaml to the kubectl command.
kubectl apply -f proxy_with_workload_identity.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: test-app
spec:
selector:
matchLabels:
app: app-project
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: app-project
spec:
containers:
- env:
- name: DB_USER
valueFrom:
secretKeyRef:
key: username
name: db-credentials
- name: DB_PASS
valueFrom:
secretKeyRef:
key: password
name: db-credentials
- name: DB_NAME
value: postgres
image: "us-central1-docker.pkg.dev/myproject/docker-repo/test-app:v1"
name: app-project
ports:
- containerPort: 9376
protocol: TCP
- command:
- /cloud_sql_proxy
- "-instances=demo-dev:us-central1:1-sql-1=tcp:5432"
image: "gcr.io/cloudsql-docker/gce-proxy:latest"
name: cloud-sql-proxy
resources:
requests:
cpu: 200m
memory: 32Mi
securityContext:
runAsNonRoot: true
serviceAccountName: testapp
The cloud-sql-proxy image is getting pulled and the container is running , but the image in the private-repository is not getting pulled "us-central1-docker.pkg.dev/myproject/docker-repo/test-app:v1"
when i check the pods i am shown this error:
