Using GCR on a (non-GKE) Kubernetes Cluster

Firstly, if you don’t yet have an artifacts bucket for GCR then you will need to you need to push an image to the registry to create the storage account. This can be anything (e.g. busybox) and can ideally be done with a project owner or editor.

$ gsutil ls 'gs://artifacts.*'
< no output >
$ gcloud auth configure-docker
$ docker pull busybox:latest
$ docker tag busybox:latest gcr.io/<PROJ_ID>/busybox
$ docker push gcr.io/<PROJ_ID>/busybox
$ gsutil ls 'gs://artifacts.*'
gs://artifacts.<PROJ_ID>.appspot.com/containers/

Now you can create a service account for pulling containers and add the objectViewer role so it can retrieve images:

$ gcloud iam service-accounts create gcr-pull \
	--description="SA to pull GCR images"
Created service account [gcr-pull].
$ gsutil iam ch \
	serviceAccount:gcr-pull@<PROJ_ID>.iam.gserviceaccount.com:objectViewer \
	gs://artifacts.<PROJ_ID>.appspot.com

Then create a keyfile:

$ gcloud iam service-accounts keys create gcr-pull.json \
	--iam-account gcr-pull@<PROJ_ID>.iam.gserviceaccount.com
created key [f41363c158c072b56b6e8670440605b29f6057c2] of type [json] as [gcr-pull.json] for [gcr-pull@<PROJ_ID>.iam.gserviceaccount.com]

Now this keyfile can be used as registry credentials in Kubernetes:

$ kubectl create secret docker-registry gcr-keyfile \
	--docker-server=gcr.io \
	--docker-username=_json_key \
	--docker-password="$(cat gcr-pull.json)" \
	--docker-email=gcr-pull@<PROJ_ID>.iam.gserviceaccount.com
secret/gcr-keyfile created

If you want this to be in the default Service Account:

$ kubectl patch serviceaccount default \
	-p '{"imagePullSecrets": [{"name": "gcr-keyfile"}]}'
serviceaccount/default patched

Alternatively patch each spec.containers with:

imagePullSecrets:
  - name: gcr-keyfile

Now you should be good to go