If you have multiple Google Cloud Projects and want to pull Container Registry images from other projects, you will need to grant each project access by adding a role to the a few service accounts specific to each Project.

Container Registry has no permissions of it’s own, but actually relies on permissions to the Cloud Storage bucket that is created automatically for it when you first push an image.

Confusingly this requires the use of the Project ID as opposed to the Project Name.