HiveBrain v1.2.0
Get Started
← Back to all entries
patterndockerMinor

Google Cloud Registry and multiple projects

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
projectsgoogleregistrycloudmultipleand

Problem

Is it possible to pull images from the same GCR from multiple GCP projects without making the registry public?

I want to do this so I do not have to upload multiple times the same image to multiple registries so it can be used on different projects.

Solution

Yes, it's possible. Fundamentally GCR is built on top of Cloud Storage, with roughly the same basic access control:

  • public, i.e completely accessible



  • private, with quite flexible access control from pretty much anywhere, even from outside the GCP domain - being in a certain GCP project is rather irrelevant.



From Granting users and other projects access to a registry:


To give specific users or container clusters running on other projects
permissions to pull images from a registry, you need to grant read
permission on the underlying Cloud Storage bucket.


...



  • Select the Permissions tab.



  • Click Add members.



-
From the menu that appears, fill the Members field with the email addresses of users needing read permission, separated by commas.
This email address can be one of the following:



  • a Google account (for example, someone@example.com)



  • a Cloud IAM service account



  • the Compute Engine default service account of another project. This account is used by the Google Kubernetes Engine to pull


container images clusters by default. It is in the form
[PROJECT_NUMBER]-compute@developer.gserviceaccount.com, where
[PROJECT-NUMBER] is the GCP project number of the project that
is running the Google Kubernetes Engine cluster.



There are some differences from Cloud Storage, most notable ones being:

  • access control applies to the bucket level only, object level access is ignored



  • GCR can only have a single bucket per GCP project

Context

StackExchange DevOps Q#6618, answer score: 3

Revisions (0)

No revisions yet.