Pod deployment in a vSphere kubernetes cluster fails when configured with a custom service account
Article ID: 336305
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- Pod deployment in a vSphere kubernetes cluster may fail with image pull error.
- You see image pull error message similar to: "insufficient_scope: authorization failed" when deploying a pod in a vSphere kubernetes cluster.
- You encounter this issue if the pod is configured with a custom service account and a container image from a project on the embedded harbor registry of the cluster.
Environment
VMware vCenter Server 7.0.x
Resolution
This is expected behavior. Perform the below steps to avoid this issue.
1. Run this command to find the default image pull secret name for the project on the embedded Harbor registry where the image is from.
Note: The project name is the same as namespace name on the vSphere kubernetes cluster.
kubectl get secret -n <namespace> | grep default-image-pull-secret
2. Run this command to edit the service account that the pod is configured with by adding the above default image pull secret to the service account.
imagePullSecrets:
- name: <secret-name-with-default-image-pull-secret>
3. Deploy the pod. Now the image pull from the embedded Harbor project should succeed.
1. Run this command to find the default image pull secret name for the project on the embedded Harbor registry where the image is from.
Note: The project name is the same as namespace name on the vSphere kubernetes cluster.
kubectl get secret -n <namespace> | grep default-image-pull-secret
2. Run this command to edit the service account that the pod is configured with by adding the above default image pull secret to the service account.
imagePullSecrets:
- name: <secret-name-with-default-image-pull-secret>
3. Deploy the pod. Now the image pull from the embedded Harbor project should succeed.
Feedback
Yes
No
Powered by
