How To Pull The Images on GCP Artifact Registry From

To access Google Cloud Platform (GCP) Artifact Registry from a local Kubernetes cluster using a service account key file, you need to follow these steps:

Create a GCP Service Account and Key File
Create a Kubernetes Secret with the Service Account Key
Configure Your Kubernetes Deployment to Use the Secret
Pull Images from Artifact Registry

Step-by-Step Guide

1. Create a GCP Service Account and Key File

Create the Service Account:

gcloud iam service-accounts create my-service-account –display-name “My Service Account”

Grant the Necessary Roles to the Service Account:

gcloud projects add-iam-policy-binding <YOUR-PROJECT-ID> 

–member=“serviceAccount:my-service-account@<YOUR-PROJECT-ID>.iam.gserviceaccount.com” 

–role=“roles/artifactregistry.reader”

Replace <YOUR-PROJECT-ID> with your GCP project ID.

Create and Download the Key File:

gcloud iam service-accounts keys create key.json 

–iam-account my-service-account@<YOUR-PROJECT-ID>.iam.gserviceaccount.com

2. Create a Kubernetes Secret with the Service Account Key

Create the Secret:

kubectl create secret docker-registry gcp-artifact-registry 

–docker-server=LOCATION-docker.pkg.dev 

–docker-username=_json_key 

–docker-password=“$(cat key.json)“ 

–docker-email=your-email@example.com

Replace:

LOCATION with the location of your Artifact Registry (e.g., us-central1).

your-email@example.com with your email.

3. Configure Your Kubernetes Deployment to Use the Secret

Update your Kubernetes deployment YAML to reference the secret for pulling images.

Update Deployment YAML:

apiVersion: apps/v1

kind: Deployment

metadata:

name: my-app

spec:

replicas: 1

selector:

matchLabels:

app: my-app

template:

metadata:

labels:

app: my-app

spec:

containers:

– name: my-app

image: LOCATION-docker.pkg.dev/PROJECT-ID/REPOSITORY/IMAGE:TAG

ports:

– containerPort: 8080

imagePullSecrets:

– name: gcp-artifact-registry

Replace the placeholders:

LOCATION with your Artifact Registry location (e.g., us-central1).

PROJECT-ID with your GCP project ID.

REPOSITORY with the name of your repository.

IMAGE:TAG with the specific image and tag you want to use.

Apply the Deployment:

kubectl apply -f deployment.yaml

4. Verify the Setup

Check the Deployment Status:

kubectl get pods

Describe a Pod to Verify Image Pull:

kubectl describe pod <POD-NAME>

Look for the events section to see if the image was pulled successfully.

Summary

By following these steps, you configure your local Kubernetes cluster to authenticate with GCP Artifact Registry using a service account key file. This involves creating a service account and key, storing the key as a Kubernetes secret, and updating your deployments to use the secret for image pulls. This setup ensures secure and efficient access to your container images stored in GCP Artifact Registry.

Refs

https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling#key
https://cloud.google.com/artifact-registry/docs/docker/authentication#json-key