Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pull&Push Container Image From Artifact Registry #430

Open
oguzhanoyan opened this issue Jul 19, 2023 · 0 comments
Open

Pull&Push Container Image From Artifact Registry #430

oguzhanoyan opened this issue Jul 19, 2023 · 0 comments
Assignees
@zijianjoy
Labels
help wanted Extra attention is needed

Comments

@oguzhanoyan
Copy link

As you know, the container registry will be deprecated and no longer accessible. Our need is to pull & push images from the ubuntu_containerd Kubeflow node. In order to pull and push images to artifact registry in node, followed;

  1. Node-pool should have sufficient oauth scopes. which are storage-rw & cloud-platform
  2. Node-pool service account which is kubeflow-vm should have sufficient permission.
  3. And node should be created token.

So; I created a new node-pool which include sufficient oauth scope with gcloud

gcloud beta container --project "xxx" node-pools create "pool-1" --cluster "xxxx" --region "xxx" --node-version "1.25.9-gke.2300" --machine-type "e2-medium" --image-type "UBUNTU_CONTAINERD" --disk-type "pd-balanced" --disk-size "100" --metadata disable-legacy-endpoints=true --service-account "[email protected]" --spot --num-nodes "1" --enable-autoupgrade --enable-autorepair --scopes=storage-rw,cloud-platform --max-surge-upgrade 1 --max-unavailable-upgrade 0

And give artifact registry writer permission to "[email protected]" service account, then I managed to push the image from the node. So whoever needs don't know but adding these scope and permission to installation yamls should solve the problem. My proposal is;

  1. Adding https://www.googleapis.com/auth/devstorage.read_write oauth scope to containercluster kind instead of readonly
apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
metadata:
  labels:
    mesh_id: "proj-PROJECT_NUMBER" # kpt-set: proj-${gcloud.project.projectNumber}
  name: KUBEFLOW-NAME # kpt-set: ${name}
spec:
  initialNodeCount: 2
  addonsConfig:
    httpLoadBalancing:
      disabled: false
  clusterAutoscaling:
    enabled: true
    autoProvisioningDefaults:
      oauthScopes:
      - https://www.googleapis.com/auth/logging.write
      - https://www.googleapis.com/auth/monitoring
      # - https://www.googleapis.com/auth/devstorage.read_only
      - https://www.googleapis.com/auth/devstorage.read_write
      serviceAccountRef:
        name: KUBEFLOW-NAME-vm # kpt-set: ${name}-vm
    resourceLimits:
    - resourceType: cpu
      maximum: 128
    - resourceType: memory
      maximum: 2000
    - resourceType: nvidia-tesla-k80
      maximum: 16
  releaseChannel:
    # Per https://github.com/GoogleCloudPlatform/k8s-config-connector/issues/194
    # use upper case for the channels
    channel: STABLE
  # Master version controls the kubernetes API version.
  # Future upgrade of master version might break Kubeflow deployment.
  # At the time of writing, STABLE release channel is using 1.17.
  # knative requires Kubernetes version to be 1.18+. Therefore we set 
  # master version below. We need to make sure reviewing this for future release.
  # Autopilot mode will enforce automatic node upgrade.
  # minMasterVersion: '1.18'
  location: LOCATION # kpt-set: ${location}
  workloadIdentityConfig:
    identityNamespace: PROJECT.svc.id.goog # kpt-set: ${gcloud.core.project}.svc.id.goog
  loggingService: logging.googleapis.com/kubernetes
  monitoringService: monitoring.googleapis.com/kubernetes
  nodeConfig:
    machineType: e2-standard-8
    metadata:
      disable-legacy-endpoints: "true"
    oauthScopes:
    - https://www.googleapis.com/auth/logging.write
    - https://www.googleapis.com/auth/monitoring
      # - https://www.googleapis.com/auth/devstorage.read_only
    - https://www.googleapis.com/auth/devstorage.read_write
    serviceAccountRef:
      name: KUBEFLOW-NAME-vm # kpt-set: ${name}-vm
    workloadMetadataConfig:
      nodeMetadata: GKE_METADATA_SERVER
  1. Adding artifact registry writer permission to "[email protected]" service account
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: KUBEFLOW-NAME-vm-policy-storage # kpt-set: ${name}-vm-policy-storage
spec:
  member: serviceAccount:[email protected] # kpt-set: serviceAccount:${name}-vm@${gcloud.core.project}.iam.gserviceaccount.com
  role: roles/artifactregistry.createOnPushRepoAdmin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/PROJECT # kpt-set: projects/${gcloud.core.project}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: KUBEFLOW-NAME-vm-policy-storage # kpt-set: ${name}-vm-policy-storage
spec:
  member: serviceAccount:[email protected] # kpt-set: serviceAccount:${name}-vm@${gcloud.core.project}.iam.gserviceaccount.com
  role: roles/artifactregistry.createOnPushWriter
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/PROJECT # kpt-set: projects/${gcloud.core.project}
@zijianjoy zijianjoy self-assigned this Sep 21, 2023
@chensun chensun added the help wanted Extra attention is needed label Oct 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zijianjoy zijianjoy

Labels
help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chensun @zijianjoy @oguzhanoyan