It is common practice in most organizations to manage Docker images in a single namespace, such as a Google Cloud Project or an AWS account.
Those environments are provisioned under separate projects
An interesting question is how can a GKE cluster of each environment pull docker images from the CI/CD project?
The tip: grant objectView on the Cloud Storage bucket housing the Docker container images.
Grant pull access to another project
Let’s say the GKE cluster in project
coolgig-dev needs to pull a Docker image of ElasticSearch,
According to the documentation about access control for Container Registry, GKE, by default, uses the compute-eninge service account, i.e. <project-number>-firstname.lastname@example.org, where <project-number> can be found via:
gcloud projects describe coolgig-dev --format='value(projectNumber)'
Then we can grant the following
objectViewrole of the following GCS bucket to the compute-engine service account in coolgig-dev.
gsutil iam ch \ serviceAccount:<project-number>-email@example.com:objectViewer \ gs://artifacts.coolgig-cicd.appspot.com
And now you can pull an image from the CI/CD GCR in your development environment project, although it’s coming from a different GCP project:
gcloud config set project coolgig-dev gcloud docker -a docker pull gcr.io/coolgig-cicd/elasticsearch:6.1.1