If you have multiple Google Cloud Projects and want to pull Container Registry images from other projects, you will need to grant each project access by adding a role to the a few service accounts specific to each Project.
- For Kubernetes Engine or Compute Engine you will need to add the role to the Compute Engine default service account
- For Cloud Build you will need to add the role to the Cloud Build service account
Container Registry has no permissions of it’s own, but actually relies on permissions to the Cloud Storage bucket that is created automatically for it when you first push an image.
Confusingly this requires the use of the Project ID as opposed to the Project Name.