Set up a central Google Cloud project for your organization, so that you can share pipeline container images in Container Registry across your organization. This guide describes how to ensure that your Kubeflow Pipelines system can access your shared pipeline container images. There are two parts to this process:
- Creating a shared Container Registry in a central Google Cloud project.
- Granting your Kubeflow Pipelines clusters access to your shared Container Registry.
These procedures are not necessary if your shared pipeline's container images are publicly accessible, or if the container images are registered to the same Google Cloud project as the Kubeflow Pipelines clusters.
Create a Google Cloud project and enable Container Registry
Create a central Google Cloud project for hosting your organization's pipeline containers on Container Registry. This procedure is currently the best way to ensure that the container images are accessible to the Kubeflow Pipelines system. The Kubeflow Pipelines system runs the container jobs when you download and deploy a pipeline from AI Hub.
You only need to follow the steps in this section once.
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
In the Cloud Console, on the project selector page, select or create a Cloud project.
Make sure that billing is enabled for your Google Cloud project. Learn how to confirm billing is enabled for your project.
- Enable the Container Registry API.
Share the Google Cloud project ID within your organization
Communicate the Google Cloud project ID to all users of AI Hub within your organization.
- When members of your organization create a pipeline for publication on AI Hub, they should push the pipeline's containers to Container Registry in the central Google Cloud project.
- When members of your organization deploy a pipeline from AI Hub, they should ensure that their Kubeflow Pipelines environment has been granted access to the shared Container Registry.
Grant Kubeflow Pipelines access to your shared Container Registry
When you deploy a Kubeflow cluster on Google Kubernetes Engine, the VMs in the cluster run under a service account so that they can access other Google Cloud services.
Follow these steps to grant the service account the necessary access to your organization's shared Container Registry:
Find the service account for the VMs:
Go to the Compute Engine page on the Cloud Console.
Find a VM in your GKE cluster.
Click the name of the VM to see the VM instance details page.
Find the service account name under Service account.
Follow the Container Registry guide to grant the service account read permissions for your organization's shared Container Registry.