kaniko icon indicating copy to clipboard operation
kaniko copied to clipboard

Published 20 hours ago verified publisher icon GoogleContainerTools

error checking push permissions for openshift internal image registry

Open sbhosle-tibco opened this issue 1 year ago • 4 comments

Actual behavior We are unable to push the images to the OpenShift internal image registry using tekton task. We see the below error:

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "image-registry.openshift-image-registry.svc:5000/streamingweb/tools:latest": POST https://image-registry.openshift-image-registry.svc:5000/v2/streamingweb/tools/blobs/uploads/: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:streamingweb/tools Type:repository] map[Action:push Class: Name:streamingweb/tools Type:repository]]

We are using a ServiceAccount called operator-admin with cluster-admin as ClusterRole reference. The serviceAccount opertor-admin is bind to the secret operator-admin-dockercfg-6jjjs, something like this:

secrets:
  - name: operator-admin-dockercfg-6jjjs
imagePullSecrets:
  - name: operator-admin-dockercfg-6jjjs

Expected behavior Using kaniko we should have been able to push the image to the OpenShift internal registry.

To Reproduce Steps to reproduce the behavior:

  1. Create a namespace
  2. Create a ServiceAccount with cluster-admin ClusterRole reference
  3. Create a Tekton task to push a image to the OpenShift internal registry using Kaniko.

Additional Information

  • Kaniko Image (fully qualified with digest) gcr.io/kaniko-project/executor:v1.9.1

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
  • No
Please check if the build works in docker but not in kaniko
  • Yes

sbhosle-tibco avatar Jan 08 '24 09:01 sbhosle-tibco

I have check the code for this specific issue, it's seen that we have a regression on the dependancy of this project.

if credentials is put with "auth" on your .docker/config.json it fail to build, but it properly work with "username" and "password" field.

alexises avatar Feb 02 '24 10:02 alexises

We have a the same issue with github container registry ghcr.io (also using .docker/config.json) and with locally-hosted harbor (same config). So it's not necessarily peculiar to Openshift

scottdcarson-omb avatar Feb 08 '24 19:02 scottdcarson-omb

I'm also seeing this issue with GHCR. Removing the auth field and leaving only username and passoword did not work for me, I still get the same error

Edit: It turns out that if I set the environment variable DOCKER_CONFIG=/kaniko/.docker then a config.json containing only the auth key works.

Edit2: Actually it works if the config.json file contains username and password too.

matheuscscp avatar Mar 02 '24 15:03 matheuscscp

Cant make it work... in my case it just work with version 1.7.0 an earlier

edit: setting DOCKER_CONFIG=/root/.docker did the trick... im using a gitlab kubernetes executor

atorrembo avatar Jul 17 '24 20:07 atorrembo