A company deploys a microservice on Google Kubernetes Engine (GKE) with a Cloud Deploy delivery pipeline. The application uses a custom container image stored in Artifact Registry. After a successful deployment to a staging cluster, the production deployment fails with 'ImagePullErr: image not found'. The staging and production clusters are in different projects. What is the most likely cause?
Cross-project image pulling requires appropriate IAM on the registry.
Why this answer
Option C is correct because the production cluster's node pool, which runs in a different project, does not have the necessary permissions to pull the custom container image from Artifact Registry in the staging project. By default, GKE node pools use the Compute Engine default service account, which only has access to images in the same project. To pull images across projects, the node pool's service account must be granted the Artifact Registry Reader role (roles/artifactregistry.reader) on the repository in the staging project.
Exam trap
Cisco often tests the misconception that Cloud Deploy handles cross-project image access automatically, when in reality the node pool's service account must be explicitly granted permissions on the Artifact Registry repository in the source project.
How to eliminate wrong answers
Option A is wrong because the Cloud Deploy service account does not need permission to create pods; Cloud Deploy creates a release and rollout, which triggers a Kubernetes manifest apply via the GKE cluster's credentials, not by directly creating pods. Option B is wrong because Cloud Deploy does not have a configuration to switch between Artifact Registry and Container Registry; it references the image path as specified in the manifest, and if the path uses Artifact Registry, it will use it regardless of Cloud Deploy settings. Option D is wrong because the question states the same application is deployed, and a different tag would cause a different error (e.g., 'ErrImagePull' for a non-existent tag) or a successful deployment with a different version, not 'ImagePullErr: image not found' which indicates the image location is inaccessible.