Using Container Registry with Google Cloud Platform

Compute resources in Google Cloud Platform are integrated with Container Registry for easy access. This document describes the required access settings to push and pull images within Google Cloud Platform.

Requirements

The correct permissions and access scopes must be configured for VMs that are used to pull or push images.

IAM permissions

IAM permissions must be configured for the service account that accesses the Container Registry storage bucket.

  • To pull private Docker images, the service account used by VM instances must have read permission to the image's storage bucket.
  • To push private Docker images, the service account used by VM instances must have read-write or full-control permission to the image's storage bucket.

Refer to Configuring access control for details on the required permissions.

Access scopes

Access scopes define the default OAuth scopes used in requests from the gcloud tool. VM instances that push or pull images must have the correct storage access scope configured to successfully work with Container Registry.

For pulling images only, set read-only permission to your Storage buckets. For pushing and pulling images, set read-write permission to your Storage buckets.

Setting scopes on a VM instance

To create a new VM instance and specify the scope, use the --scope option.

  • For an instance with 'read-only' permissions, run the command:

    gcloud compute instances create INSTANCE \
    --scopes https://www.googleapis.com/auth/devstorage.read_only
    
  • For an instance with 'read-write' permissions, run the command:

    gcloud compute instances create INSTANCE \
    --scopes https://www.googleapis.com/auth/devstorage.read_write
    

To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance. Use one of the following commands to the change service account or access scopes of the stopped instance.

  • To set 'read-only' permissions, run the command:

    gcloud compute instances set-service-account INSTANCE --scopes=storage-ro
    
  • To set 'read-write' permissions, run the command:

    gcloud compute instances set-service-account INSTANCE --scopes=storage-rw
    

Setting scopes on a Google Kubernetes Engine cluster

By default, new Google Kubernetes Engine clusters are created with read-only permissions for Storage buckets. To set the read-write storage scope when creating a Google Kubernetes Engine cluster, use the --scopes option. For example, the following command creates a cluster with the scopes bigquery,

`storage-rw`, and `compute-ro`:

    gcloud container clusters create example-cluster \
  --scopes=bigquery,storage-rw,compute-ro

For more information about scopes you can set when creating a new cluster, refer to the documentation for the command gcloud container clusters create.

Compute Engine

If the VM instance for pushing or pulling images and the Container Registry storage bucket are in the same Google Cloud Platform project, the Compute Engine default service account is configured with appropriate permissions to push or pull images. If the VM instance is in a different project or if the instance uses a different service account, you must configure access to the storage bucket used by the repository.

By default, a Compute Engine VM has the read-only access scope configured for storage buckets. To push private Docker images, your instance must have read-write storage access scope configured as described in Access scopes.

Container-optimized Compute Engine Instances

For information about how to start a container-optimized Compute Engine instance using an image in your registry, see Starting a Docker container via cloud-config.

For additional information, see Creating and Configuring Instances.

Google Kubernetes Engine

Google Kubernetes Engine uses the service account configured on the VM instances of cluster nodes to push and pull images.

If the Google Kubernetes Engine cluster and the Container Registry storage bucket are in the same Google Cloud Platform project, the Compute Engine default service account is configured with the appropriate permissions to push or pull images. If the cluster is in a different project or if the VMs in the cluster use a different service account, you must configure access to the storage bucket used by the repository.

By default, a Compute Engine VM has the read-only access scope configured for storage buckets. To push private Docker images, your instance must have read-write storage access scope configured as described in Access scopes.

Running an image

You can run a Container Registry image on a Google Kubernetes Engine cluster using the following command:

kubectl run [NAME] --image=[HOSTNAME]/[PROJECT-ID]/[IMAGE]:[TAG]

where:

  • [NAME] is the name of the resource
  • [HOSTNAME] is listed under Location in the console. It's one of four options: gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io.
  • [PROJECT-ID] is your Google Cloud Platform Console project ID. If your project ID contains a colon (:), see Domain-scoped projects.
  • [IMAGE] is the image's name in Container Registry.
  • [TAG] is the tag that identifies the version of the image in Container Registry. If you do not specify a tag, Container Registry will look for the default tag latest.

For more information about Kubernetes commands, see Overview of kubectl. If your images are in another project, you explicitly need to grant read access to the service account used by the Google Kubernetes Engine cluster on the storage bucket storing the images.

App Engine Flexible Environment

You can use the App Engine Flexible Environment to customize an existing runtime (such as Java 8), or to provide your own runtime by supplying a custom Docker image or Dockerfile.

The flexible environment automatically builds your container images using Cloud Build and stores them in Container Registry.

If the VM instance you are using to push or pull images and the Container Registry storage bucket are in the same Google Cloud Platform project, the Compute Engine default service account is configured with the appropriate permissions to push or pull images. If the VMs are in a different project or if the VMs use a different service account, you must configure access to the storage bucket used by the repository.

By default, a Compute Engine VM has the read-only access scope configured for storage buckets. To push private Docker images, your instance must have read-write storage access scope configured as described in Access scopes.

Deploying to App Engine

You can deploy an image hosted by Container Registry to App Engine using the gcloud command-line tool.

You can use the gcloud beta app gen-config command in your image's root directory to automatically create the app.yaml file needed to deploy to App Engine. Alternatively, you can write the file yourself.

Once you have created the App Engine configuration file, built your Docker image, and pushed your image to Container Registry , you can deploy your image to App Engine by running the following command:

gcloud app deploy --image-url=[HOSTNAME]/[PROJECT-ID]/[IMAGE]:[TAG]

where:

  • [HOSTNAME] is listed under Location in the console. It's one of four options: gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io.
  • [PROJECT-ID] is your Google Cloud Platform Console project ID. If your project ID contains a colon (:), see Domain-scoped projects.
  • [IMAGE] is the image's name in Container Registry.
  • [TAG] is the tag that identifies the version of the image in Container Registry. If you do not specify a tag, Container Registry will look for the default tag latest.
¿Te ha resultado útil esta página? Enviar comentarios:

Enviar comentarios sobre...