Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden while creating kubernetes deployment on Google Cloud

huangapple go评论112阅读模式
英文:

Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden while creating kubernetes deployment on Google Cloud

问题

错误的原因可能是授权问题,导致 Kubernetes 无法拉取 Docker 镜像。解决这个问题的一个可能的方法是确保正确配置了 Docker 的身份验证。以下是可能的解决方法:

  1. 确保已经使用以下命令配置 Docker 以使用 Google Cloud 的身份验证:
gcloud auth configure-docker us-central1-docker.pkg.dev
  1. 检查 Docker 镜像路径是否正确。您可以从 Google Cloud Console 复制并粘贴镜像路径,确保没有额外的空格或拼写错误。

  2. 检查 Google Cloud 项目是否有足够的权限来拉取该镜像。您可以检查项目的 IAM 设置,确保适当的权限已分配给您的 Google Cloud 帐户。

  3. 确保您的 Google Cloud 访问令牌仍然有效。尝试重新登录到 Google Cloud 帐户,然后再次运行 gcloud auth configure-docker 命令。

  4. 如果您的项目使用了服务帐户来运行 Kubernetes,确保该服务帐户具有足够的权限来访问 Artifact Registry 中的镜像。

  5. 最后,确保您的 Docker 镜像在 Artifact Registry 中是可用的。您可以使用 docker pull 命令来验证是否可以成功拉取该镜像,如下所示:

docker pull us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1

根据上述解决方法中的任何一种可能修复问题。如果问题仍然存在,请提供更多详细信息,以便进一步帮助您解决问题。

英文:

Case

I am following tutorial: Deploy a Spring Boot Java app to Kubernetes on Google Kubernetes Engine . I came to the step when I want to deploy my application (docker image of it) to kubernetes. But after I create the deployment the pods are not starting because there is problem with pulling the image (Error: ErrImagePull).

I create the deployment like that:

 kubectl create deployment questy-java --image=us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1

After running the command:

kubectl describe pod questy-java-54dbd6ccd4-5cb94

I am getting event information:

Events:
  Type     Reason     Age                From               Message
  ----     ------     ----               ----               -------
  Normal   Scheduled  36s                default-scheduler  Successfully assigned default/questy-java-54dbd6ccd4-tmdkl to gke-questy-java-cluster-default-pool-ca7ad417-lxkw
  Normal   Pulling    23s (x2 over 35s)  kubelet            Pulling image "us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1"
  Warning  Failed     23s (x2 over 35s)  kubelet            Failed to pull image "us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1": rpc error: code = Unknown desc = failed to pull and unpack image "us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1": failed to resolve reference "us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1": failed to authorize: failed to fetch oauth token: unexpected status: 403 Forbidden
  Warning  Failed     23s (x2 over 35s)  kubelet            Error: ErrImagePull
  Normal   BackOff    8s (x2 over 35s)   kubelet            Back-off pulling image "us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1"
  Warning  Failed     8s (x2 over 35s)   kubelet            Error: ImagePullBackOff

The root couse seems to be mentioned in here:

> failed to authorize: failed to fetch oauth token: unexpected status:
> 403 Forbidden

Anyhow the tutorial did not mention any additional steps to mantain authentication or authorisation.

What I have tried:

  1. I have checked the VPC networks dashboard to see if Private Google Access is enabled and it looks fine:

Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden while creating kubernetes deployment on Google Cloud

  1. I have followed instructions to install gke-gcloud-auth-plugin from: https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke. Recreating the deployment after this change did not help.
  2. Created new repository in the Artifact Registry and tried to deploy my image there
  3. build an entirely new Docker container and tried to deploy it in new repository
  4. Tried to deploy questy-java image directly from Google Cloud Console:
    Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden while creating kubernetes deployment on Google Cloud

  1. Run the command:
    gcloud auth configure-docker us-central1-docker.pkg.dev
  1. Checked the path throughly. I have copied and paste the path to the image directly from Console:
    Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden while creating kubernetes deployment on Google Cloud
    I have also tried to run the commands:
    docker pull \
        us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1

It was successfull.

Question

What could be the reason of this error? What is the most elegant way to fix the issue?

Edit

I have checked the path to the image directly from Console and it is

  us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1

答案1

得分: 0

Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden 是由于授权问题导致的,Artifact registry没有足够的权限来拉取镜像。

参考这个解决 4xx 错误问题的文档,了解连接到 GKE 集群时的身份验证和授权错误。设置环境变量以打印访问令牌,并按照 Troubleshooting error 4xx issues 中提到的步骤验证访问令牌是否有效。

另外,根据这个Troubleshoot 文档,您可以检查以下内容:

  • 确保您正在推送的镜像的完整路径正确。路径必须包括注册表主机名、Google Cloud 项目 ID、存储库和镜像。例如:us-east1-docker.pkg.dev/my-project/my-rep

  • 确保拉取镜像的帐户具有从存储库中读取所需权限。您必须授予运行时服务帐户Artifact Registry Reader 角色,这样才能帮助拉取镜像。

  • 如果您正在使用 Docker 或其他第三方工具,您必须为与存储库交互的帐户授予权限

  • 参考ImagePullBackOff 和 ErrImagePull,这些错误表示容器使用的镜像无法从镜像注册表加载。

英文:

The Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden is due to authorization issue where the Artifact registry is not having the necessary permissions to pull the image.

Refer to this Troubleshooting error 4xx issues Authentication and authorization errors when connecting to GKE clusters. Set the environment variables to print the access token and Verify that your access token is valid by following the steps mentioned in the Troubleshooting error 4xx issues.

Also as per this Troubleshoot doc you can check the following:

  • Verify that the full path of the image that you are pushing is
    correct. The path must include the registry hostname, Google Cloud
    project ID, repository, and image. For example:
    us-east1-docker.pkg.dev/my-project/my-rep
  • Verify that the account that is pulling the image has necessary
    permissions to read from the repository. you must grant the Artifact
    Registry Reader role
    to the runtime service account then only
    this will help to pull the image.
  • If you are using Docker or another third-party tool, you must:
    Grant permissions to the account that interacts with the
    repository.
  • Refer to the ImagePullBackOff and ErrImagePull which indicate
    that the image used by a container cannot be loaded from the image
    registry.

答案2

得分: 0

我已经按照@Hemanth Kumar的建议,并最终解决了我的问题,方法是为在GKE中运行的服务帐户用户添加特定存储库的Artifact Registry Reader角色。

我是通过Google Cloud控制台来做的:
Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden while creating kubernetes deployment on Google Cloud

英文:

I have followed the tips from @Hemanth Kumar and finaly what solved my problem was adding a Artifact Registry Reader role for specific repository to the service account user which runs in GKE.

I did it via Google Cloud Console:
Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden while creating kubernetes deployment on Google Cloud

huangapple
  • 本文由 发表于 2023年6月13日 17:07:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/76463317.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定