3

Is it possible to pull images from the same GCR from multiple GCP projects without making the registry public?

I want to do this so I do not have to upload multiple times the same image to multiple registries so it can be used on different projects.

Navarro
  • 183
  • 5

1 Answers1

3

Yes, it's possible. Fundamentally GCR is built on top of Cloud Storage, with roughly the same basic access control:

  • public, i.e completely accessible
  • private, with quite flexible access control from pretty much anywhere, even from outside the GCP domain - being in a certain GCP project is rather irrelevant.

From Granting users and other projects access to a registry:

To give specific users or container clusters running on other projects permissions to pull images from a registry, you need to grant read permission on the underlying Cloud Storage bucket.

...

  1. Select the Permissions tab.
  2. Click Add members.

  3. From the menu that appears, fill the Members field with the email addresses of users needing read permission, separated by commas. This email address can be one of the following:

    • a Google account (for example, someone@example.com)
    • a Cloud IAM service account
    • the Compute Engine default service account of another project. This account is used by the Google Kubernetes Engine to pull container images clusters by default. It is in the form [PROJECT_NUMBER]-compute@developer.gserviceaccount.com, where [PROJECT-NUMBER] is the GCP project number of the project that is running the Google Kubernetes Engine cluster.

There are some differences from Cloud Storage, most notable ones being:

  • access control applies to the bucket level only, object level access is ignored
  • GCR can only have a single bucket per GCP project
Dan Cornilescu
  • 6,780
  • 2
  • 21
  • 45