I have Jenkins running in Kubernetes along with Kanika to build image and I want to push to GCR.

And for the service account, I use "owner" level service account (just for PoC).

My pipeline:

podTemplate(
containers: [
    containerTemplate (
        name: 'kaniko',
        image: 'gcr.io/kaniko-project/executor:debug-v1.3.0',
        ttyEnabled: true,
        command: 'sleep 1000000',
        args: '',
        resourceRequestCpu: '0.5',
        resourceRequestMemory: '500Mi'
    )
],
serviceAccount: 'jenkins-service-account'
} {
node(POD_LABEL) {
    try {
        stage('Prepare') {
            git([
              url: 'https://myrepo.example.com/example-kaniko.git',
              branch: 'master',
              credentialId: 'jenkins-github'
            ])
        }
        
        container('kaniko') {
          stage ('Build image') {
            sh '/kaniko/executor -c `pwd` --cache=true --skip-unused-stages=true --single-snapshot --destination=asia.gcr.io/[MY_PROJECT_ID]/testing-1:v1'
          }
        }
    } catch (e) {
        throw e
    } finally {
        echo "Done"
    }
}

But still, I got an error:

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "asia.gcr.io/MY_PROJECT_ID/testing-1:v1": resolving authorization for asia.gcr.io failed: error getting credentials - err: exit status 1, out: docker-credential-gcr/helper: could not retrieve GCR's access token: compute: Received 403Unable to generate access token; IAM returned 403 Forbidden: The caller does not have permission This error could be caused by a missing IAM policy binding on the target IAM service account.

How to solve this problem? Or do I use a wrong method?

Please help, thank you!