Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kaniko in-cluster build: pulling kaniko images from private registry w/ image pull secret #9170

Closed
dherges opened this issue Nov 10, 2023 · 2 comments · Fixed by #9665
Closed

Comments

@dherges
Copy link
Contributor

dherges commented Nov 10, 2023

Expected behavior

Pull the kaniko image and imitImage from a private registry with pull secret credentials

The private registry requires an imagePullSecret for the kaniko pod spec

The dockerConfig.secretName and pullSecretName are only mounted inside the kaniko pod, if i understand correctly. The use case described by me would require a pull secret for the kaniko images itself.

For my personal use case, it would solve the issue if the cluster.pullSecretName was also added to the kaniko PodSpec:

	// Add secret for pull secret
	if b.ClusterDetails.PullSecretName != "" {
		addSecretVolume(pod, kaniko.DefaultSecretName, b.ClusterDetails.PullSecretMountPath, b.ClusterDetails.PullSecretName)

		pod.Spec.ImagePullSecrets = []v1.LocalObjectReference{{
			Name: b.ClusterDetails.PullSecretName,
		}}
	}

Could that be added as a general option?`What do you think?

Actual behavior

Failed to pull image "private.registry.com/k8s-skaffold/skaffold-helpers/busybox": rpc error: code = Unknown desc = failed to pull and unpack image "private.registry.com/k8s-skaffold/skaffold-helpers/busybox": failed to resolve reference "private.registry.com/k8s-skaffold/skaffold-helpers/busybox": failed to authorize: failed to fetch anonymous token:
unexpected status: 401

Information

  • Skaffold version: v2.8.0
  • Operating system: Windows 7
  • Installed via: skaffold.dev standalone executable
  • Contents of skaffold.yaml:
build:
  artifacts:
    - image: private.registry.com/myapp
      kaniko: 
        initImage: private.registry.com/k8s-skaffold/skaffold-helpers/busybox
        image: private.registry.com/kaniko-project/executor
  cluster:
    dockerConfig:
      secretName: private-registry-push
    pullSecretName: private-registry-pull

Steps to reproduce the behavior

  1. a private container registry at private.registry.com that requires token authentication for pulling images
  2. skaffold build
time="2023-11-10T10:35:02+01:00" level=info msg="Waiting for kaniko-m8x5s to be initialized" subtask=private.registry.com/myapp task=Build copying sources: waiting for pod to initialize: context deadline exceeded
@dherges
Copy link
Contributor Author

dherges commented Nov 10, 2023

I let ChatGPT try very hard, here's what it had to say...
chat.txt

@dherges
Copy link
Contributor Author

dherges commented Dec 23, 2024

There is one solution to the issue in current version of skaffold already supported:

Create a service account in the kubernetes cluster, reference the image-pull-secret

apiVersion: v1
kind: ServiceAccount
metadata:
  name: skaffold
imagePullSecrets:
- name: my-image-pull-secret

like here explained in k8s docs: Pull an Image from a Private Registry

in skaffold.yaml, let the service account create the kaniko pod:

apiVersion: skaffold/v4beta11
kind: Config
build:
  cluster:
    serviceAccount: skaffold

That service account should do it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment