英文:
Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden while creating kubernetes deployment on Google Cloud
问题
错误的原因可能是授权问题,导致 Kubernetes 无法拉取 Docker 镜像。解决这个问题的一个可能的方法是确保正确配置了 Docker 的身份验证。以下是可能的解决方法:
- 确保已经使用以下命令配置 Docker 以使用 Google Cloud 的身份验证:
gcloud auth configure-docker us-central1-docker.pkg.dev
-
检查 Docker 镜像路径是否正确。您可以从 Google Cloud Console 复制并粘贴镜像路径,确保没有额外的空格或拼写错误。
-
检查 Google Cloud 项目是否有足够的权限来拉取该镜像。您可以检查项目的 IAM 设置,确保适当的权限已分配给您的 Google Cloud 帐户。
-
确保您的 Google Cloud 访问令牌仍然有效。尝试重新登录到 Google Cloud 帐户,然后再次运行
gcloud auth configure-docker命令。 -
如果您的项目使用了服务帐户来运行 Kubernetes,确保该服务帐户具有足够的权限来访问 Artifact Registry 中的镜像。
-
最后,确保您的 Docker 镜像在 Artifact Registry 中是可用的。您可以使用
docker pull命令来验证是否可以成功拉取该镜像,如下所示:
docker pull us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1
根据上述解决方法中的任何一种可能修复问题。如果问题仍然存在,请提供更多详细信息,以便进一步帮助您解决问题。
英文:
Case
I am following tutorial: Deploy a Spring Boot Java app to Kubernetes on Google Kubernetes Engine . I came to the step when I want to deploy my application (docker image of it) to kubernetes. But after I create the deployment the pods are not starting because there is problem with pulling the image (Error: ErrImagePull).
I create the deployment like that:
kubectl create deployment questy-java --image=us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1
After running the command:
kubectl describe pod questy-java-54dbd6ccd4-5cb94
I am getting event information:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 36s default-scheduler Successfully assigned default/questy-java-54dbd6ccd4-tmdkl to gke-questy-java-cluster-default-pool-ca7ad417-lxkw
Normal Pulling 23s (x2 over 35s) kubelet Pulling image "us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1"
Warning Failed 23s (x2 over 35s) kubelet Failed to pull image "us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1": rpc error: code = Unknown desc = failed to pull and unpack image "us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1": failed to resolve reference "us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1": failed to authorize: failed to fetch oauth token: unexpected status: 403 Forbidden
Warning Failed 23s (x2 over 35s) kubelet Error: ErrImagePull
Normal BackOff 8s (x2 over 35s) kubelet Back-off pulling image "us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1"
Warning Failed 8s (x2 over 35s) kubelet Error: ImagePullBackOff
The root couse seems to be mentioned in here:
> failed to authorize: failed to fetch oauth token: unexpected status:
> 403 Forbidden
Anyhow the tutorial did not mention any additional steps to mantain authentication or authorisation.
What I have tried:
- I have checked the VPC networks dashboard to see if Private Google Access is enabled and it looks fine:
- I have followed instructions to install gke-gcloud-auth-plugin from: https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke. Recreating the deployment after this change did not help.
- Created new repository in the Artifact Registry and tried to deploy my image there
- build an entirely new Docker container and tried to deploy it in new repository
- Tried to deploy questy-java image directly from Google Cloud Console:
- Run the command:
gcloud auth configure-docker us-central1-docker.pkg.dev
- Checked the path throughly. I have copied and paste the path to the image directly from Console:
I have also tried to run the commands:
docker pull \
us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1
It was successfull.
Question
What could be the reason of this error? What is the most elegant way to fix the issue?
Edit
I have checked the path to the image directly from Console and it is
us-central1-docker.pkg.dev/quizdev/codelabrepo/questy-java:v1
答案1
得分: 0
Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden 是由于授权问题导致的,Artifact registry没有足够的权限来拉取镜像。
参考这个解决 4xx 错误问题的文档,了解连接到 GKE 集群时的身份验证和授权错误。设置环境变量以打印访问令牌,并按照 Troubleshooting error 4xx issues 中提到的步骤验证访问令牌是否有效。
另外,根据这个Troubleshoot 文档,您可以检查以下内容:
-
确保您正在推送的镜像的完整路径正确。路径必须包括注册表主机名、Google Cloud 项目 ID、存储库和镜像。例如:us-east1-docker.pkg.dev/my-project/my-rep
-
确保拉取镜像的帐户具有从存储库中读取所需权限。您必须授予运行时服务帐户Artifact Registry Reader 角色,这样才能帮助拉取镜像。
-
如果您正在使用 Docker 或其他第三方工具,您必须为与存储库交互的帐户授予权限。
-
参考ImagePullBackOff 和 ErrImagePull,这些错误表示容器使用的镜像无法从镜像注册表加载。
英文:
The Error: ErrImagePull : failed to fetch oauth token: unexpected status: 403 Forbidden is due to authorization issue where the Artifact registry is not having the necessary permissions to pull the image.
Refer to this Troubleshooting error 4xx issues Authentication and authorization errors when connecting to GKE clusters. Set the environment variables to print the access token and Verify that your access token is valid by following the steps mentioned in the Troubleshooting error 4xx issues.
Also as per this Troubleshoot doc you can check the following:
- Verify that the full path of the image that you are pushing is
correct. The path must include the registry hostname, Google Cloud
project ID, repository, and image. For example:
us-east1-docker.pkg.dev/my-project/my-rep - Verify that the account that is pulling the image has necessary
permissions to read from the repository. you must grant the Artifact
Registry Reader role to the runtime service account then only
this will help to pull the image. - If you are using Docker or another third-party tool, you must:
Grant permissions to the account that interacts with the
repository. - Refer to the ImagePullBackOff and ErrImagePull which indicate
that the image used by a container cannot be loaded from the image
registry.
答案2
得分: 0
我已经按照@Hemanth Kumar的建议,并最终解决了我的问题,方法是为在GKE中运行的服务帐户用户添加特定存储库的Artifact Registry Reader角色。
我是通过Google Cloud控制台来做的:
英文:
I have followed the tips from @Hemanth Kumar and finaly what solved my problem was adding a Artifact Registry Reader role for specific repository to the service account user which runs in GKE.
I did it via Google Cloud Console:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论