This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Pulling container images from management cluster

Posted on 09-12-2023 11:58 PM
pcperera
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We have a GCP project where we have the container registry. We have a public management cluster and we also have an Azure private cluster deployed through Anthos in that GCP project. Both clusters belong to the same fleet.

How can I grant permission to pull the container images from the container registry to the above Anthos cluster? 

To pull images to the management cluster itself we use workload identity federation. But to pull images to the Anthos cluster, can we just rely on workload identity in the same way or do I have to use image pull secrets? 

0 4 542
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
rayjohnn
Staff
Reply posted on --/--/---- --:-- AM

Good Day!

Looks like Workload Identity Federation is the best fit for your use case. It designed to let external identities such as Azure to impersonate a GCP service account as having all its permissions along with it. If you've set up this correctly, your Anthos workloads can indeed assume the identity of a GCP service account, then granting that service account the required permissions to pull images. Here are some documentations for reference. [1][2]

[1] https://cloud.google.com/iam/docs/workload-identity-federation

[2] https://cloud.google.com/anthos/fleet-management/docs/fleet-creation#configuring_workload_identity

0 Likes

Posted on --/--/---- --:-- AM
pcperera
Bronze 1
Bronze 1
In response to rayjohnn
Reply posted on --/--/---- --:-- AM

The official Anthos documentation doesn't mention workload identity federation for the above purpose: https://cloud.google.com/anthos/clusters/docs/multi-cloud/azure/how-to/private-registry.  I followed the official documentation and I'm not sure that works either.

0 Likes

Posted on --/--/---- --:-- AM
pcperera
Bronze 1
Bronze 1
In response to rayjohnn
Reply posted on --/--/---- --:-- AM
  1. Are you sure that workload identity federation can be used for pulling images from the GCP artifact registry to the Anthos Azure cluster?
  2. Are the steps in the official guide  https://cloud.google.com/anthos/clusters/docs/multi-cloud/azure/how-to/private-registry actually accurate and complete? 
0 Likes

Posted on --/--/---- --:-- AM
devenes
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

Hello @pcperera 

To grant permission for your Anthos user cluster to pull container images from the GCP Artifact Registry, you can follow the steps outlined in the official guide at https://cloud.google.com/anthos/clusters/docs/multi-cloud/azure/how-to/private-registry as you mentioned.

Before proceeding, ensure that your Azure private AKS cluster has the necessary access to the Artifact Registry. Once you've confirmed this, you can configure a service account and Kubernetes registry secret to enable image pulling into your user cluster.

I recommend following the documented steps and providing feedback if you encounter any issues or have further questions.

0 Likes
Top Labels in this Space