{"id":356,"date":"2020-10-03T07:06:55","date_gmt":"2020-10-03T07:06:55","guid":{"rendered":"https:\/\/rejupillai.com\/?p=356"},"modified":"2026-04-13T00:09:12","modified_gmt":"2026-04-13T00:09:12","slug":"shared-gcr-for-multiple-gke-projects-errimagepull","status":"publish","type":"post","link":"https:\/\/rejupillai.com\/index.php\/2020\/10\/03\/shared-gcr-for-multiple-gke-projects-errimagepull\/","title":{"rendered":"Shared GCR for multiple GKE Projects"},"content":{"rendered":"\n

It is not uncommon to keep all our GCR private registries in a shared Project, and access it from multiple different GCP Projects such as dev, test and prod. In a normal scenario i.e. when the GCR & GKE are in the same Project, you wouldn’t see an issue, but when they are different you may encounter an ErrImagePull when GKE kubelet tries to pull down the image.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The solution is very simple however. <\/p>\n\n\n\n

In my example I have 2 Projects – <\/p>\n\n\n\n

GKE : reju-pr1<\/p>\n\n\n\n

GCR : reju-pr2<\/p>\n\n\n\n

project names have been masked <\/em><\/p>\n\n\n\n

Step 1) Go to IAM module of the GKE Project, and find the service account that corresponds to the Compute Engine default service account<\/code><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Step 2) Navigate to the IAM section of the second project (where GCR is hosted) and Add a Member<\/code> with the same service account id noted from Step 1 ; give it a role of Storage Object Viewer<\/strong>.<\/p>\n\n\n\n

<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Step 3) Delete the deployments and force the pods to be recreated, you will see that images are successfully pulled<\/em> down this time around.<\/p>\n\n\n\n

\"\"
The hipster store app is fully deployed and running.<\/figcaption><\/figure>\n\n\n\n

Conclusion : When using GCR across Projects make sure to provide the Storage Object Viewer<\/code><\/code><\/code><\/code><\/code><\/code> Role to the ServiceAccount responsible for pulling the images on the GKE nodes.<\/p>\n","protected":false},"excerpt":{"rendered":"

It is not uncommon to keep all our GCR private registries in a shared Project, and access it from multiple different GCP Projects such as dev, test and prod. In a normal scenario i.e. when the GCR & GKE are in the same Project, you wouldn’t see an issue, but<\/p>\n","protected":false},"author":1,"featured_media":191,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-356","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-google-cloud","ct-col-2"],"_links":{"self":[{"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/posts\/356","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/comments?post=356"}],"version-history":[{"count":13,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/posts\/356\/revisions"}],"predecessor-version":[{"id":427,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/posts\/356\/revisions\/427"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/media\/191"}],"wp:attachment":[{"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/media?parent=356"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/categories?post=356"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rejupillai.com\/index.php\/wp-json\/wp\/v2\/tags?post=356"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}