This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

CloudRun and GKE Autopilot fine using the same image from Artifact or Container Registry

Posted on 01-09-2024 05:01 PM
g3289ds
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

My understanding is that when a service is deployed in either CloudRun or GKE the container image is downloaded into an instance by each service and the original image can't be affected by the running container. Due to this there shouldn't be any issues deploying a service with either product pointing to the same image correct? The image won't somehow be corrupted, right? I know two duplicate services  in different products may encounter the problem of trying to access the same database and other functions, but we are concerned something might happen to the container itself stored in either registry.

Solved Solved
0 2 298
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
alexmoore
Staff
Reply posted on --/--/---- --:-- AM

Your understanding is right, when you deploy referencing an image in Artifact Registry the respective service is simply downloading (or streaming) the image and then starting it up.  The only way it could affect the image stored in the registry is if the code inside the image itself was written in some way (and had permission via the service account identity) to actually modify the registry, but for general use there wouldn't be any expectation of 'corruption' etc.

One other thing to explore is pulling the image by referencing the image digest, this is the sha256 hash value of the image contents. Each version of an image has a unique image digest.  That way if for some reason the image did get modified in some way and the image tag pointed to a new version, your service continues to pull the specific version, rather than the newer one until such point that you update it.

And then if you want to get really advanced you can explore Binary Authorization, which ensures only signed valid images can be deployed: https://cloud.google.com/binary-authorization 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
alexmoore
Staff
Reply posted on --/--/---- --:-- AM

Your understanding is right, when you deploy referencing an image in Artifact Registry the respective service is simply downloading (or streaming) the image and then starting it up.  The only way it could affect the image stored in the registry is if the code inside the image itself was written in some way (and had permission via the service account identity) to actually modify the registry, but for general use there wouldn't be any expectation of 'corruption' etc.

One other thing to explore is pulling the image by referencing the image digest, this is the sha256 hash value of the image contents. Each version of an image has a unique image digest.  That way if for some reason the image did get modified in some way and the image tag pointed to a new version, your service continues to pull the specific version, rather than the newer one until such point that you update it.

And then if you want to get really advanced you can explore Binary Authorization, which ensures only signed valid images can be deployed: https://cloud.google.com/binary-authorization 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Correct.  Neither Cloud Run nor GKE modify the images stored in the registry.  Images are always pulled locally to either runtime.

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all