patterndockerMinor
Google Cloud Registry and multiple projects
Viewed 0 times
projectsgoogleregistrycloudmultipleand
Problem
Is it possible to pull images from the same
I want to do this so I do not have to upload multiple times the same image to multiple registries so it can be used on different projects.
GCR from multiple GCP projects without making the registry public?I want to do this so I do not have to upload multiple times the same image to multiple registries so it can be used on different projects.
Solution
Yes, it's possible. Fundamentally GCR is built on top of Cloud Storage, with roughly the same basic access control:
From Granting users and other projects access to a registry:
To give specific users or container clusters running on other projects
permissions to pull images from a registry, you need to grant read
permission on the underlying Cloud Storage bucket.
...
-
From the menu that appears, fill the Members field with the email addresses of users needing read permission, separated by commas.
This email address can be one of the following:
container images clusters by default. It is in the form
is running the Google Kubernetes Engine cluster.
There are some differences from Cloud Storage, most notable ones being:
- public, i.e completely accessible
- private, with quite flexible access control from pretty much anywhere, even from outside the GCP domain - being in a certain GCP project is rather irrelevant.
From Granting users and other projects access to a registry:
To give specific users or container clusters running on other projects
permissions to pull images from a registry, you need to grant read
permission on the underlying Cloud Storage bucket.
...
- Select the Permissions tab.
- Click Add members.
-
From the menu that appears, fill the Members field with the email addresses of users needing read permission, separated by commas.
This email address can be one of the following:
- a Google account (for example,
someone@example.com)
- a Cloud IAM service account
- the Compute Engine default service account of another project. This account is used by the Google Kubernetes Engine to pull
container images clusters by default. It is in the form
[PROJECT_NUMBER]-compute@developer.gserviceaccount.com, where[PROJECT-NUMBER] is the GCP project number of the project thatis running the Google Kubernetes Engine cluster.
There are some differences from Cloud Storage, most notable ones being:
- access control applies to the bucket level only, object level access is ignored
- GCR can only have a single bucket per GCP project
Context
StackExchange DevOps Q#6618, answer score: 3
Revisions (0)
No revisions yet.