K
Q

Knative image build and push fails with acces denied

7/2/2019

I'm trying to build and push a docker image with Knative. I have a maven java application and a multistaging Dockerfile that builds and runs the application:

WORKDIR /usr/app

COPY pom.xml ./
COPY src/ ./src/
RUN mvn package


FROM openjdk:8-jdk-alpine

WORKDIR /usr/app

ENV PORT 8080

COPY --from=build /usr/app/target/*.jar ./app.jar

CMD ["java", "-jar", "/usr/app/app.jar"]

I want to build and push the application to the gcr repository. So I have a ServiceAccount and a Build:

apiVersion: v1
data:
  password: ENCODED_PASS
  username: ENCODED_USERNAME
kind: Secret
metadata:
  annotations:
    build.knative.dev/docker-0: https://gcr.io
  name: knative-build-auth
  namespace: default
  resourceVersion: "3001"
  selfLink: /api/v1/namespaces/default/secrets/knative-build-auth
type: kubernetes.io/basic-auth
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: knative-build
secrets:
  - name: knative-build-auth
---
apiVersion: build.knative.dev/v1alpha1
kind: Build
metadata:
  name: example-build
spec:
  serviceAccountName: knative-build
  source:
    git:
      url: https://github.com/pathtorepo.git
      revision: master
  steps:
    - name: build-and-push
      image: gcr.io/kaniko-project/executor:v0.1.0
      args:
        - --dockerfile=/workspace/Dockerfile
        - --destination=gcr.io/$projectid/my-build

I tried to use kaniko-project for this. However, there are some problems with using it. Version 0.1.0 works with a simple Dockerfile:

FROM ubuntu

CMD ["/bin/sh", "-c", "echo Hiiiiiii"]

But does not support the multistaging Dockerfiles and fils with the access denied error. Any other version of the kaniko does not work, and fails. In the logs for version 0.1.0 of the multistaging build I can see the following error: 2019/07/02 14:43:13 No matching credentials found for index.docker.io, falling back on anonymous time="2019-07-02T14:43:15Z" level=info msg="saving dependencies []" time="2019-07-02T14:43:15Z" level=error msg="copy failed: no source files specified"

and the status of the build:

  conditions:
  - lastTransitionTime: "2019-07-02T14:43:16Z"
    message: 'build step "build-step-build-and-push" exited with code 1 (image: "docker-pullable://gcr.io/kaniko-project/executor@sha256:501056bf52f3a96f151ccbeb028715330d5d5aa6647e7572ce6c6c55f91ab374");
      for logs run: kubectl -n default logs example-build-pod-7d95a9 -c build-step-build-and-push'
    status: "False"
    type: Succeeded

For any other versions of kaniko higher than 0.1.0 here is the error:

error pushing image: failed to push to destination gcr.io/star-wars-istio/reverse-function:latest: DENIED: Access denied.

Also in logs there is something like:

ERROR: logging before flag.Parse: E0702 14:54:23.003241       1 metadata.go:142] while reading 'google-dockercfg' metadata: http status code: 404 while fetching url http://metadata.google.internal./computeMetadata/v1/instance/attributes/google-dockercfg

I found an issue in their repo which is closed. However it's still reproducible. Here is the github issue

I can confirm that my ServiceAccount is correct, since I'm able to build and push a simple docker image with this configuration. I've also tried different images for build and push. For example the one that is described here. Even though I've followed all the steps described there (creating my ServiceAccount following the instructions, which works with a simple Dockerfile), it still fails when I try to build and push my application. So when I apply the following Build:

apiVersion: build.knative.dev/v1alpha1
kind: Build
metadata:
  name: reverse-build
spec:
  serviceAccountName: knative-build
  source:
    git:
      url: https://github.com/lvivJavaClub/spring-cloud-functions.git
      revision: init-knative
    subPath: reverse-function
  steps:
    - name: build-and-push
      image: gcr.io/cloud-builders/mvn
      args: ["compile", "jib:build", "-Dimage=gcr.io/star-wars-istio/reverse-function"]

The build fails and I'm getting the error in logs:

[ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.3:build (default-cli) on project reverse: Build image failed, perhaps you should set a credential helper name with the configuration '<from><credHelper>' or set credentials for 'gcr.io' in your Maven settings: com.google.api.client.http.HttpResponseException: 401 Unauthorized
[ERROR] {"errors":[{"code":"UNAUTHORIZED","message":"You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: https://cloud.google.com/container-registry/docs/advanced-authentication"}]}
-- Sergii Bishyr
google-cloud-platform
istio
kaniko
knative
kubernetes

Similar Questions

problem to deploy heketi pod on kubernetes
Joining data from different sources
ConfigMap data (yml format) - Kubernetes
Jupyterhub on Kubernets NFS error - pod has unbound immediate PersistentVolumeClaims

0 Answers