GCR permissions issue on GKE codelab

[mjamaloney]

On page 6 Deploy container to GKE

My pod is not reaching the 'READY' state:

$ kubectl get pod
NAME                      READY   STATUS             RESTARTS   AGE
monolith-d986d5f5-s7rqg   0/1     ImagePullBackOff   0          23m

When diving deeper I see that the GKE instance I created doesn't seem to have permissions to pull the image I created in the previous steps:

$ kubectl describe pod/monolith-d986d5f5-s7rqg
...
Events:
  Type     Reason     Age                  From               Message
  ----     ------     ----                 ----               -------
  Normal   Scheduled  25m                  default-scheduler  Successfully assigned default/monolith-d986d5f5-s7rqg to gke-fancy-cluster-default-pool-69633fd6-dnh1
  Normal   Pulling    24m (x4 over 25m)    kubelet            Pulling image "gcr.io/maloney-scratch/monolith:1.0.0"
  Warning  Failed     24m (x4 over 25m)    kubelet            Failed to pull image "gcr.io/maloney-scratch/monolith:1.0.0": rpc error: code = Unknown desc = failed to pull and unpack image "gcr.io/maloney-scratch/monolith:1.0.0": failed to resolve reference "gcr.io/maloney-scratch/monolith:1.0.0": pulling from host gcr.io failed with status code [manifests 1.0.0]: 403 Forbidden
  Warning  Failed     24m (x4 over 25m)    kubelet            Error: ErrImagePull
  Warning  Failed     23m (x6 over 25m)    kubelet            Error: ImagePullBackOff
  Normal   BackOff    21s (x111 over 25m)  kubelet            Back-off pulling image "gcr.io/maloney-scratch/monolith:1.0.0"
```

I had to give "Storage Object Viewer" permissions to the "Compute Engine default service account" on the 'artifacts.$PROJECT_ID.appspot.com' bucket before it would work.