Skip to Content

Using a cross project Google Container Registry

Share the same Container Registry across different GKE environments

Posted on 2 mins read

It is common practice in most organizations to manage Docker images in a single namespace, such as a Google Cloud Project or an AWS account.

This dedicated CI / CD cloud project builds, pushes, tests Docker images, and deploys continuously new versions of images on each Google Kubernetes Engine environment.

Those environments are provisioned under separate projects such as development, staging and production.

With Container Builder or any other CIs such as Gitlab CI/CD or Circle CI, to name but a few, can be used for CI/CD purpose.

An interesting question is how can a GKE cluster of each environment pull docker images from the CI/CD project?

The tip: grant objectView on the Cloud Storage bucket housing the Docker container images.

Grant pull access to another project

Let’s say the GKE cluster in project coolgig-dev needs to pull a Docker image of ElasticSearch, such as: gcr.io/coolgig-cicd/elasticsearch:6.1.1.

  1. According to the documentation about access control for Container Registry, GKE, by default, uses the compute-eninge service account, i.e. <project-number>-compute@developer.gserviceaccount.com, where <project-number> can be found via:

    gcloud projects describe coolgig-dev --format='value(projectNumber)'
  2. Then we can grant the following objectView role of the following GCS bucket to the compute-engine service account in coolgig-dev.

    gsutil iam ch \
    serviceAccount:<project-number>-compute@developer.gserviceaccount.com:objectViewer \
    gs://artifacts.coolgig-cicd.appspot.com
  3. And now you can pull an image from the CI/CD GCR in your development environment project, although it’s coming from a different GCP project:

    gcloud config set project coolgig-dev
    gcloud docker -a
    docker pull gcr.io/coolgig-cicd/elasticsearch:6.1.1
comments powered by Disqus