kaniko: Error on pushing image to GCR

Actual behavior Getting an error on kaniko with GCR after latest update (version 28a6bdce78a5f5cb09cc4cc650595721554eef6b-debug 1.7.0-debug)

Expected behavior image a0c96b4edcaeee437243484f5880833518d06551-debug is OK (ver 1.6.0-debug)

To Reproduce printf $REGISTRY_ACCESSKEY > ${CI_PROJECT_DIR}/gcr.json /kaniko/executor --context $CI_PROJECT_DIR --dockerfile ./Dockerfile --destination ${IMAGE}

Additional Information

Error: error checking push permissions – make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for “eu.gcr.io/******/****************:”: creating push check transport for eu.gcr.io failed: GET https://eu.gcr.io/v2/token?scope=repository%3A***********%2F*****%3Apush%2Cpull&service=eu.gcr.io: UNAUTHORIZED: Not Authorized.
Kaniko Image 28a6bdce78a5f5cb09cc4cc650595721554eef6b-debug 1.7.0-debug

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing	- [ ]
Please check if the build works in docker but not in kaniko	- [ ]
Please check if this error is seen when you use `--cache` flag	- [ ]
Please check if your dockerfile is a multistage dockerfile	- [ ]

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 66
Comments: 30 (1 by maintainers)

Commits related to this issue

Workaround for kaniko v1.7.0 issue https://github.com/GoogleContainerTools/kaniko/issues/1791 pushing images to gcr — committed to GlobalFishingWatch/frontend by rdgfuentes 3 years ago
Revert "Use old kaniko executor for now." This reverts commit 45c2dd53a048b45cc54d11264088d29721f6bb86. I believe the latest is now pointing back to 1.6 until the proper fix is landed. https://gith... — committed to dancerj/gitlstreefs by dancerj 3 years ago

Most upvoted comments

Same here. Using v1.6.0 instead of latest solved the problem for me

dhpollack on Oct 20, 2021

Same issue here 😕 Workaround worked thanks PS : lost several hours checking and checking the roles on my service account ^^

Foxinou35 on Oct 20, 2021

Same, downgraded to 1.6.0 - fixed issue for me =(

Keramblock on Oct 20, 2021

Thanks fix is the way! https://github.com/GoogleContainerTools/kaniko/pull/1794

tejal29 on Oct 20, 2021

@corveen and anyone who’s struggling with this regression that’s been introduced and left unsolved 3 days ago (yes, unbelievable) along with another regression in gcloud CLI preventing AppEngine deploys that has been introduced on the same day in SDK 361.0.0 and has not been addressed to this day either, here’s what we did:

Add cloudbuild.yml (see below) to the root of your project

# cloudbuild.yml

steps:
  # TODO: revert to :latest tag once the following issue is closed:
  # https://github.com/GoogleContainerTools/kaniko/issues/1786
  - name: 'gcr.io/kaniko-project/executor:v1.6.0'
    id: 'Build and push container image'
    args:
      [
        '--destination=${_IMAGE}',
        '--cache=true',
        '--cache-ttl=6h'
      ]

timeout: 1800s

Rewrite your deployment script as follows:

IMAGE=us.gcr.io/your-project-id/your-image:your-tag
- gcloud builds submit --tag $IMAGE
+ gcloud builds submit --substitutions _IMAGE=$IMAGE

Pin gcloud SDK to the version 360.0.0 for the time being

This is the equivalent of using gcloud builds submit --tag and gives you full control over the version of Kaniko and other parameters.

Relevant documentation that helped us solve this issue:

https://cloud.google.com/build/docs/configuring-builds/substitute-variable-values

mareksuscak on Oct 26, 2021

I can’t reproduce this issue anymore. We are using v1.9.2 (and testing v1.12), no issue so far.

In our case, this was a configuration issue. We are using GCR auth via workload identity. Till v1.6 we had to provide a Docker config file (/kaniko/.docker/config.json), like this one:

{
  "credHelpers": {
    "eu.gcr.io": "gcr",
    "gcr.io": "gcr"
  }
}

Since at least v1.8 (maybe even v1.7) you don’t need, actually you cannot have this Docker config file anymore. If this file is present, Kaniko v1.8 or newer fails with an auth error as reported in this issue. And vice versa, v1.6 does not work without the config file above.

If you are using the newest version of Kaniko with GCR and workload identities, omit the Docker config file. Keeping an empty one {} also works.

hudac on Jul 15, 2023

Also tested v1.8.0 and v1.8.1, same issue. Reverted back to v1.6.0, now it works 😕

hudac on Apr 29, 2022

Same issue here, using Kaniko for test environments, all build pipelines were broken. Temporarily fixed with rollback to version 1.6.0.

jmuleiro on Oct 21, 2021

Still an issue when using 1.9.1. Used @nicolas-goudry’s suggestion which works.

https://github.com/GoogleContainerTools/kaniko/issues/1791#issuecomment-948393053

Same issue here. A workaround to use 1.7.0 with GCR using a service account is to use the .docker/config.json method providing following credentials:
$ mkdir -p /kaniko/.docker
$ echo "{\"auths\":{\"gcr.io\":{\"auth\":\"$(echo -n _json_key:$(cat service-account-key.json) | base64 | tr -d "\n")\"}}}" > /kaniko/.docker/config.json

kdaghay on Mar 7, 2023

Same issue here. A workaround to use 1.7.0 with GCR using a service account is to use the .docker/config.json method providing following credentials:

$ mkdir -p /kaniko/.docker
$ echo "{\"auths\":{\"gcr.io\":{\"auth\":\"$(echo -n _json_key:$(cat service-account-key.json) | base64 | tr -d "\n")\"}}}" > /kaniko/.docker/config.json

nicolas-goudry on Oct 21, 2021

Having this issue too. Had to tie down the version v1.6.0

Billcountry on Oct 20, 2021