-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kaniko can't auth to AWS using IRSA #2526
Comments
We are also seeing failures when trying to use kaniko with IRSA. Builds work with KIAM and with AWS access keys, but not with IRSA. |
Same for us, any updates? |
I'm seeing the same issue, but it only started occurring for me when upgrading the Gitlab runner version to current version 16.4.1. |
I am facing similar issue, but in my case Kaniko is not assuming IRSA at all, It is using the EC2 Instance IAM role. I have this issue with GitLab Runner created Pod, but for troubleshooting purposes I have created my own Pod and the issue is the same. In my case it is not happening just on GitLab Runner job pods. My Pod spec:
Running this Pod results in:
instead of expected:
Am I missing something from my spec for Kaniko to assume IRSA role? Kaniko version: |
I figured it out and ended up adding
and adding
|
It is working for me. I'm runnning kaniko from a EKS pod with IRSA enabled. Here is the policy that is attached to the irsa role, using image Note, "ecr:GetAuthorizationToken" has to be set to "*" resource, rest of action can be set to a specific repo {
{
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
},
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:DescribeImages",
"ecr:DescribeImageScanFindings",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:GetLifecyclePolicy",
"ecr:GetLifecyclePolicyPreview",
"ecr:GetRepositoryPolicy",
"ecr:InitiateLayerUpload",
"ecr:ListImages",
"ecr:ListTagsForResource",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Effect": "Allow",
"Resource": "arn:aws:ecr:REGION:AWS_ACCOUNT_ID:repository/REPO_NAME"
}
} |
Actual behavior
When running
kaniko
within a Gitlab Job in ak8s
pod gitlab runner, even with the right service account properly annotated, kanico is not being able to authenticate in AWS ECR.Expected behavior
When
kaniko
ran from a Gitlab Runner pod, it should still be able to authenticate to ECR using IRSA.To Reproduce
Steps to reproduce the behavior:
warmer
, it will throw this error:Error while trying to warm image: "<account_id>.dkr.ecr.<region>.amazonaws.com/<project_name>" Failed to verify image name: "<account_id>.dkr.ecr.<region>.amazonaws.com/<project_name>": could not parse reference: "<account_id>.dkr.ecr.<region>.amazonaws.com/<project_name>" Failed warming cache: Failed to warm any of the given images
. If removewarmer
,executor
throws this error:error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: getting tag for destination: repository can only contain the characters
abcdefghijklmnopqrstuvwxyz0123456789_-./: <project_name>"
Additional Information
The
target
folder is created in a previous Gitlab CI step, and they exists, are passed through artifacts.gcr.io/kaniko-project/executor:debug
:sha256:964426c9205d644e2964869d1d311a05dc9f301594300d3732ea26b5733e94fc
I'm trying to push the image to an ECR repository, with authentication through IRSA. The pod for the gitlab executor has the right web identity token properly mounted to the container.
Funny thing is that if I run the pod with
kubectl run
using the same svc account, works like a charm, but it fails when running from Gitlab CI.There is a short version of the pod description: https://gitlab.com/-/snippets/2546250
Triage Notes for the Maintainers
--cache
flagThe text was updated successfully, but these errors were encountered: