Set up a central Google Cloud project for your organization, so that you can share pipeline container images in Container Registry across your organization. This guide describes how to ensure that your Kubeflow Pipelines system can access your shared pipeline container images. There are two parts to this process:
- Creating a shared Container Registry in a central Google Cloud project.
- Granting your Kubeflow Pipelines clusters access to your shared Container Registry.
These procedures are not necessary if your shared pipeline's container images are publicly accessible, or if the container images are registered to the same Google Cloud project as the Kubeflow Pipelines clusters.
Create a Google Cloud project and enable Container Registry
Create a central Google Cloud project for hosting your organization's pipeline containers on Container Registry. This procedure is currently the best way to ensure that the container images are accessible to the Kubeflow Pipelines system. The Kubeflow Pipelines system runs the container jobs when you download and deploy a pipeline from AI Hub.
You only need to follow the steps in this section once.
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Enable the Container Registry API.
Share the Google Cloud project ID within your organization
Communicate the Google Cloud project ID to all users of AI Hub within your organization.
- When members of your organization create a pipeline for publication on AI Hub, they should push the pipeline's containers to Container Registry in the central Google Cloud project.
- When members of your organization deploy a pipeline from AI Hub, they should ensure that their Kubeflow Pipelines environment has been granted access to the shared Container Registry.
Grant Kubeflow Pipelines access to your shared Container Registry
When you deploy a Kubeflow cluster on Google Kubernetes Engine, the VMs in the cluster run under a service account so that they can access other Google Cloud services.
Follow these steps to grant the service account the necessary access to your organization's shared Container Registry:
Find the service account for the VMs:
Go to the Compute Engine page on the Cloud Console.
Find a VM in your GKE cluster.
Click the name of the VM to see the VM instance details page.
Find the service account name under Service account.
Follow the Container Registry guide to grant the service account read permissions for your organization's shared Container Registry.
- Learn how to upload a pipeline on AI Hub.
- Learn how to deploy a pipeline from AI Hub.
- Learn more about Kubeflow pipelines and components by reading the guide to understanding Kubeflow pipelines and components.
- Understand important concepts and terms by reading the introduction to AI Hub.