Ensure Kubernetes Can Download Images from Container Registry

C.

To ensure that Kubernetes can download images from Container Registry, you need to grant appropriate permissions. Let's take a look at each answer option and see which one is the correct one:

A. In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes.

This option is not correct. Granting the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes in the project where the images are stored will only give access to the objects in the storage bucket, but will not allow Kubernetes to download images from Container Registry.

B. When you create the GKE cluster, choose the Allow full access to all Cloud APIs option under Access scopes'.

This option is not correct either. Allowing full access to all Cloud APIs is not necessary for Kubernetes to download images from Container Registry. Additionally, it is not recommended to allow full access to all Cloud APIs, as this can create security risks.

C. Create a service account, and give it access to Cloud Storage. Create a P12 key for this service account and use it as an imagePullSecrets in Kubernetes.

This option is the correct one. You need to create a service account with access to Cloud Storage in the project where the images are stored, and then create a P12 key for this service account. You can then use this P12 key as an imagePullSecrets in Kubernetes to allow Kubernetes to download images from Container Registry.

D. Configure the ACLs on each image in Cloud Storage to give read-only access to the default Compute Engine service account.

This option is not correct. Configuring ACLs on each image in Cloud Storage can be time-consuming, and is not necessary to allow Kubernetes to download images from Container Registry.

Therefore, the correct answer is C.