Kaniko fails to pull from GCR in Gitlab #3328
Comments
|
When running as a gitlab job, kaniko automatically sets authentication for you based on the predefined variables:
If you need different credentials either inside gitlab or with other registries, you must manually set these credentials. ie: build:
variables:
DOCKER_CONFIG_JSON: |
{
"auths":{
"$MY_REGISTRY":{
"auth":"$MY_AUTH"
}
}
}
before_script:
- echo $DOCKER_CONFIG_JSON > /kaniko/.docker/config.jsonThat's the downside of doing things implicitly, it works out of the box until it doesn't, and then everybody gets confused. |
|
It looks like the OP is trying to fetch This is a duplicate of #1984 |
|
Indeed! Sorry for not reading carefully enough. For me however, this only happens on gitlab.com with runners from gitlab.com (docker). on our self-hosted gitlab + self-hosted runners (k8s) this is not reproducible. I experimented a bit around and found this workaround: build:
stage: build
image:
name: gcr.io/kaniko-project/executor:v1.23.2-debug
entrypoint: [""]
variables:
FF_NETWORK_PER_BUILD: true
script:
- /kaniko/executor
--context "${CI_PROJECT_DIR}"
--dockerfile "${CI_PROJECT_DIR}/Dockerfile"
--destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}"but I have not yet understood why. |
|
As the other thread mentioned this works with 1.7.0 and fails starting from 1.8.0. good opportunity for some good old git bisect action. at first glance this is a bit suspicious 09e70e4 when I short-circuit the resolve function it indeed no longer fails func resolve(ctx context.Context) authn.Authenticator {
return authn.Anonymous
} |
|
Looks like when the registry is We ended up fixing this by setting |
|
sorry for not posting yesterday already. I was contacting gitlab to make sure it is ok for me to write this message publicly, but now that the cat is out of the bag I must say it's quite hilarious. kaniko does what it is supposed to do perfectly well in this case 😄. Luckily the access token it receives can't be used for much, ie. downloading images doesn't work 🤣. I tried to write the issue report into their logging system but got stuck because I couldn't guess their logstream name 🤣. |
|
I think we can still improve the situation out of the box for users. The fundamental problem is that if authentication works and a token is received it is of course used, but if the permissions on the token don't allow image pulling we simply give up. we never try to run without token as a fallback. Even better, when we first request the token we should already set the correct scope, then it should be denied and everything should work as expected. |
|
I agree the situation can be improved. Currently the list of credential sources is hardcoded. Could that be a flag instead so it could be customized if you don't need specific ones, like Google, for example? |
|
At the moment, what is the best recommended workaround for this? It should probably be added to the other bug and added to the documentation on gitlab while this continues. Using the public GCR would likely be a very common application case. |
|
Good morning, I did not yet receive an explicit ok from gitlab, but so far they said they are not concerned, so I think you're right it's due time to inform the other channel. I think @jameshartig's solution is the neatest so far as adding the feature flag impacts a lot more than just this bug, at least it also takes way longer to start a runner on their side (hence no default).
in fear of repeating myself:
But I think even though the change would be easy it would be very difficult to get it in as it breaks both the user interface and philosophy. |
|
I would agree that implicit is a bad idea. A good documentation that explains how this happens would be the preferred choice from my perspective. Otherwise, when you start trying to understand how it does something you end up with a question. So how does that even work? The behaviour becomes counterintuitive. |
|
I think the default could be what is hardcoded now to not make it more complicated for anyone who is fine with the current keychain. Something like |
and others
Actual behavior
In gitlab, kaniko obtains the manifest of an image, but fails to obtain the image from GCR.
Expected behavior
In gitlab, kaniko obtains the image from GCR.
To Reproduce
Steps to reproduce the behavior:
FROM gcr.io/distroless/java17-debian12:nonrootAdditional Information
Please provide either the Dockerfile you're trying to build or one that can reproduce this error.
Please provide or clearly describe any files needed to build the Dockerfile (ADD/COPY commands)
Triage Notes for the Maintainers
--cacheflagThe text was updated successfully, but these errors were encountered: