On the Google Cloud Platform I have two projects, project-a and project-b
In project-a I have a Google Container Registry (GCR) and in project-b I have a private Google Kubernetes Engine (GKE) cluster (with Cloud NAT and Private Google Access). In project-b I have a custom service account which is used by the GKE cluster (configured that on creation of the cluster, instead of the default compute service account. Therefore, I also did not need to configure access scopes).
To be able to pull images from GCR in project-a, I granted the custom service account "Storage Object Viewer" permissions on the corresponding GCS bucket in project-a, according to the documentation.
However, I keep getting the error that GKE is unable to pull the image. The permissions on the bucket seem fine though: if I generate a key file for the custom service account, create a kubernetes.io/dockerconfigjson secret from it and use that secret as imagePullSecrets, then the node is able to pull the image.
My assumption was that creating this secret is not needed since the GKE-node uses the custom service account already. What is going wrong here?
I found the solution, it appeared I still had to configure access scopes (storage-read), even when I was using a custom service account. It was my assumption that when one uses a custom service account for the node pool, access scopes did not have to be configured; and that just allowing the custom SA Storage Object Viewer permissions on the GCR bucket would be sufficient.