IBM Cloud Docs
Why can't the cluster pull images from IBM Cloud Container Registry during creation?

Why can't the cluster pull images from IBM Cloud Container Registry during creation?

Virtual Private Cloud Classic infrastructure

When you created a cluster, you received an error message similar to the following.

Your cluster can't pull images from the 'icr.io' domains because an IAM access policy could not be created. Make sure that you have the IAM Administrator platform access role to. Then, create an image pull secret with IAM credentials to the registry by running 'ibmcloud ks cluster pull-secret apply'.

During cluster creation, a service ID is created for your cluster and assigned the Reader service access policy to IBM Cloud Container Registry.

Then, an API key for this service ID is generated and stored in an image pull secret to authorize the cluster to pull images from IBM Cloud Container Registry.

To successfully assign the Reader service access policy to the service ID during cluster creation, you must have the Administrator platform access policy to IBM Cloud Container Registry.

Steps:

  1. Make sure that the account owner gives you the Administrator role to IBM Cloud Container Registry.
    ibmcloud iam user-policy-create <your_user_email> --service-name container-registry --roles Administrator
  2. Use the ibmcloud oc cluster pull-secret apply command to re-create an image pull secret with the appropriate registry credentials.