我正在使用以下(标准)部署在 GKE 中创建部署
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-deployment
spec:
replicas: 1
selector:
matchLabels:
component: api
template:
metadata:
labels:
component: api
spec:
containers:
- name: api
image: eu.gcr.io/xxxx-xxx/api:latest
imagePullPolicy: Always
resources:
requests:
memory: "320Mi"
cpu: "100m"
limits:
memory: "450Mi"
cpu: "150m"
ports:
- containerPort: 5010
但是,出于某种原因,GKE 抱怨权限问题。容器位于同一项目和 PRIVATE 的容器注册表中,但据我所知,如果它与 GCP 项目 GKE 应该能够访问。GKE 集群是 vpc-native(如果这可能会有所不同),因为这是我能想到的与我过去使用相同容器和安装程序运行的集群相比的唯一区别。
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 34m default-scheduler Successfully assigned default/api-deployment-f68977b84-fmhdx to gke-gke-dev-cluster-default-pool-6c6bb127-nw61
Normal Pulling 32m (x4 over 33m) kubelet, gke-gke-dev-cluster-default-pool-6c6bb127-nw61 pulling image "eu.gcr.io/xxxx-xxx/api:latest"
Warning Failed 32m (x4 over 33m) kubelet, gke-gke-dev-cluster-default-pool-6c6bb127-nw61 Failed to pull image "eu.gcr.io/xxxx-xxx/api:latest": rpc error: code = Unknown desc = Error response from daemon: pull access denied for eu.gcr.io/xxxx-xxx/api, repository does not exist or may require 'docker login'
Warning Failed 32m (x4 over 33m) kubelet, gke-gke-dev-cluster-default-pool-6c6bb127-nw61 Error: ErrImagePull
Normal BackOff 32m (x6 over 33m) kubelet, gke-gke-dev-cluster-default-pool-6c6bb127-nw61 Back-off pulling image "eu.gcr.io/xxxx-xxx/api:latest"
Warning Failed 3m59s (x131 over 33m) kubelet, gke-gke-dev-cluster-default-pool-6c6bb127-nw61 Error: ImagePullBackOff
我是否还需要为带有谷歌云存储库的 GKE 集群添加 ImageSecrets,或者可能还有其他问题?
GKE 集群是使用 TerraForm 和 GKE 的以下 gke.tf 创建的
resource "google_container_cluster" "primary" {
name = "gke-${terraform.workspace}-cluster"
zone = "${var.region}-b"
additional_zones = [
"${var.region}-c",
"${var.region}-d",
]
# minimum kubernetes version for master
min_master_version = "${var.min_master_version}"
# version for the nodes. Should equal min_master_version on create
node_version = "${var.node_version}"
initial_node_count = "${var.gke_num_nodes[terraform.workspace]}"
network = "${var.vpc_name}"
subnetwork = "${var.subnet_name}"
addons_config {
http_load_balancing {
disabled = false # this is the default
}
horizontal_pod_autoscaling {
disabled = false
}
kubernetes_dashboard {
disabled = false
}
}
# vpc-native network
ip_allocation_policy {
# use_ip_aliases = true
}
master_auth {
username = "${var.gke_master_user}"
password = "${var.gke_master_pass}"
}
node_config {
oauth_scopes = [
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring",
]
labels = {
env = "${var.gke_label[terraform.workspace]}"
}
disk_size_gb = 10
machine_type = "${var.gke_node_machine_type}"
tags = ["gke-node"]
}
}
运行 gcloud gcloud container clusters describe [CLUSTER] 给出
nodePools:
- config:
diskSizeGb: 10
diskType: pd-standard
imageType: COS
labels:
env: dev
machineType: n1-standard-1
metadata:
disable-legacy-endpoints: 'true'
oauthScopes:
- https://www.googleapis.com/auth/monitoring
- https://www.googleapis.com/auth/devstorage.read_only
- https://www.googleapis.com/auth/logging.write
- https://www.googleapis.com/auth/compute
serviceAccount: default
所以 devstorage.read_only 似乎在那里
