Where to host docker images for several environments

I have several Google cloud projects with dedicated environments for prod, stag, dev, etc. All the Docker image are platform agnostic and completely controlled by environment variables. They should be used from all environments. What I have found is to create a project, deploy the docker images in the repository and then allow read access by using a
registry reader to the consuming service accounts.

1. What service account has to be added to the registry if GKE deployments should be able to pull the image?
2. Is this the recommended approach? I feels a little bit strange that also a dedicated project is needed. Is there something like a "global" repository?

> What service account has to be added to the registry if GKE
> deployments should be able to pull the image?

Use the workload identity with GKE : https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

You can create a new service account in IAM and assign it necessary role/permission to it.

That GCP serviceaccount will used the of K8s service account and GKE workloads will be able to pull the images from the Docker registry.

So in this case you don't need to manage the ImagePull secret, refresh it from time to time and you can manage Auth by GCP service account.

Update :

Yes you can run the project for Docker Registry specifically, it's more depends on your need.

Just to mentioned if by Registry you mean GCR make sure it will get deprecated with time so check out the Artifact registry.

There is pros & cons Keeping single Project specific to Docker registry

• Pros : Simplify management & access control
• Con : More difficult to isolate the Artifacts between projects.

If all artifacts are stored in one project and all others pulling from there.

If you have sensitive artifacts that you don't want to be accessible to all projects, you will need to create separate repositories for those artifacts.