4

I have read this question and this one, and created my Kubernetes secret for Google Container Registry using a service account JSON key with project: owner and viewer permissions. I have also verified that the image does in fact exist in Google Container Registry by going to the console.

I have also read this document.

When I run:

minikube dashboard

And then from the user interface, I click the "+" sybmol, specify the URL of my image like this: 

project-123456/bot-image

then click on 'advanced options' and specify the Secret that was imported.

After a few seconds I see this error:

Error: Status 403 trying to pull repository project-123456/bot-image: "Unable to access the repository: project-123456/bot-image; please verify that it exists and you have permission to access it (no valid credential was supplied)."

If I look at what's inside the Secret file (.dockerconfigjson), it's like: {"https://us.gcr.io": {"email": "admin@domain.com", "auth": "longtexthere"}}

What could be the issue?

Community
  • 1
  • 1
skunkwerk
  • 2,920
  • 2
  • 37
  • 55

1 Answers1

3

The json needs to have a top level "{auths": json key from:

Creating image pull secret for google container registry that doesn't expire?

So the json should be structured like:

{"auths":{"https://us.gcr.io": {"email": "admin@domain.com", "auth": "longtexthere"}}}

If you are still having issues, you can alternatively download the latest version of minikube (0.17.1) and run minikube addons configure registry-creds following the prompts there to setup creds then run minikube addons enable registry-creds

Now you should be able to pull down pods from GCR using a yaml structured like this:

apiVersion: v1
kind: Pod
metadata:
  name: foo
  namespace: default
spec:
  containers:
    - image: gcr.io/example-vm/helloworld:latest
      name: foo

EDIT: 6/13/2018 updating the commands to reflect comment by @Rambatino

aaron-prindle
  • 3,077
  • 1
  • 17
  • 15
  • thanks Aaron. I downloaded .17.1, enabled registry-creds with GCR and imported the JSON key. It reported "registry-creds was successfully enabled" but when I try to create a deployment with the GCR image it still fails, and doesn't populate any new Secrets. – skunkwerk Mar 03 '17 at 19:02
  • Make sure that you didn't get the error: `Could not read file for application_default_credentials.json` Also can you verify that an ImagePullSecret was created with: `kubectl describe serviceaccount` Also did you add the gcr prefix to your image? I added an example pod spec that is working to my original answer. – aaron-prindle Mar 03 '17 at 19:28
  • did you end up resolving this issue? if it is easier, you can also post an issue on github: https://github.com/kubernetes/minikube – aaron-prindle Mar 09 '17 at 19:57
  • 1
    The enable registry-creds has been split into two commands: `minikube addons configure registry-creds && minikube addons enable registry-creds` (https://github.com/kubernetes/minikube/issues/1391) – Rambatino Jun 13 '18 at 22:22