[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pulling image from Google Cloud Registry failing with 403



Certain secrets can't be removed (the ones that identify the service account itself).  others should be able to (bug if it can't).

On Wed, Sep 14, 2016 at 7:33 AM, Andre Esser <andre esser voidbridge com> wrote:
On 2016-09-13 18:55, Clayton Coleman wrote:
On Sep 13, 2016, at 1:18 PM, Andre Esser <andre esser voidbridge com> wrote:

It's Origin 1.2.1.

Interesting entries in the node's /var/log/messages are:
------------------------------------------------------------------->
[...]
origin-node: Pulling image eu.gcr.io/vb-europe/graylog-stack-
 deployer:latest without credentials
[...]
<----------------------------------------------------------------------

'without credentials' seems to indicate that the google-cloud-registry
secret isn't used at all?

Yeah.  Can you double check that your created pod and service account
names (and the linked secret names) all line up?

OK, I figured out what was wrong. The secret had to be added to the service account that was actually building the pod, which in our case is different to the default account 'builder'.

Also this had to be done for the project the pod was destined to be running in, if it's not running in 'default'.

I've noticed that once a secret has been added to a service account it can no longer be removed. Is this correct?


Thanks,

Andre


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]