Grant permissions to GKE nodes to pull images from GCR

[felipecruz91]

Hi,

When provisioning the GKE infrastructure, it would be great to be able to pull images from the GCR that is within the same project as the GKE cluster.

Currently, there is an error:

Failed to pull image "gcr.io/xxxx-xxx/img:tag": rpc error: code = Unknown desc = Error response from daemon: pull access denied for gcr.io/xxxx-xxx/api, repository does not exist or may require 'docker login'

[pst]

I thought about this. It seems the best I can do is give permission to any registry bucket in the project because there is no way of knowing the bucket name of course. So the sanest default would probably be read-only access by default. And a flag to disable the read-only access and then leave users to roll their own if they requore more advanced access control. Thoughts?

[felipecruz91]

As a first approach, I see no harm grating Pull (Read Only) permissions to any registry bucket that belongs to the project: https://cloud.google.com/container-registry/docs/access-control#permissions_and_roles

Nevertheless, perhaps you may find it interesting to include the creation of an empty GCR with a predefined name as part of the deployment (this would be optional) and, if that's the case, then narrow down the Pull permissions to that specific registry bucket.

[pst]

I think it would require a rather complex module or modules to handle this for all three providers Kubestack supports, especially given the various ways teams may choose to layout their image repositories, per team, per env, per app or combinations thereof.