By default, the KubernetesPodOperator expects to pull container images that are hosted publicly. If your images are hosted on the container registry native to your cloud provider, you can grant access to the images directly.
If your container image is hosted in Google Artifact Registry repository, add a permissions policy to the repository to allow the KubernetesPodOperator to pull the Docker image. You don’t need to create a Kubernetes secret or specify the Kubernetes secret in your dag. Docker images hosted in Google Artifact Registry repositories can be pulled only to Deployments hosted on GCP clusters.
Contact Astronomer support to request the Compute Engine default service account ID for your cluster.
Artifact Registry Reader and select the role that appears.The following snippet is the minimum configuration you’ll need to create a KubernetesPodOperator task on Astro:
For each instantiation of the KubernetesPodOperator, you must specify the following values:
namespace = conf.get("kubernetes", "NAMESPACE"): Every Deployment runs on its own Kubernetes namespace within a cluster. Information about this namespace can be programmatically imported as long as you set this variable.image: This is the Docker image that the operator will use to run its defined task, commands, and arguments. Astro assumes that this value is an image tag that’s publicly available on Docker Hub. To pull an image from a private registry, see Pull images from a Private Registry.in_cluster: If a Connection object is not passed to the KubernetesPodOperator’s kubernetes_conn_id parameter, specify in_cluster=True to run the task in the Deployment’s Astro cluster.When you configure an instantiation of the KubernetesPodOperator, replace <your-docker-image> with the Google Artifact Registry image URI. To retrieve the URI:
<GCP Region>-docker.pkg.dev/<Project Name>/<Registry Name>/<Image Name>.