Shared GCR for multiple GKE Projects
It is not uncommon to keep all our GCR private registries in a shared Project, and access it from multiple different GCP Projects such as dev, test and prod. In a normal scenario i.e. when the GCR & GKE are in the same Project, you wouldn’t see an issue, but when they are different you may encounter an ErrImagePull when GKE kubelet tries to pull down the image.
The solution is very simple however.
In my example I have 2 Projects –
GKE : reju-pr1
GCR : reju-pr2
project names have been masked
Step 1) Go to IAM module of the GKE Project, and find the service account that corresponds to the Compute Engine default service account
Step 2) Navigate to the IAM section of the second project (where GCR is hosted) and Add a Member with the same service account id noted from Step 1 ; give it a role of Storage Object Viewer.
Step 3) Delete the deployments and force the pods to be recreated, you will see that images are successfully pulled down this time around.
Conclusion : When using GCR across Projects make sure to provide the Storage Object Viewer