2

I am using gitlab runner on kubernetes, kaniko to push image to docker private registry(insecure), how could I give kaniko push permissions?

I tried --insecure-registry, --skip-tls-verify params but there is the same error

build:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --insecure-registry --destination registry-ip:5000/soccer

error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "registry-ip:5000/soccer": Post http://registry-ip:5000/v2/soccer/blobs/uploads/: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"

George
  • 61
  • 2
  • 6

2 Answers2

0

Pushing to insecure registries requires a change to the docker daemon. The Docker daemon (whatever runtime you are using for the Kubernetes cluster, e.g. be it Docker, Containerd, etc. I will assume you use the Docker Daemon) needs to be edited to allow insecure registries. Edit the /etc/docker/daemon.json and add the following:

{
    "insecure-registries" : [ "registry-ip:5000" ]
}

Then restart docker on each of the nodes.

A better approach would be to add some form of authentication over the local docker registry. You can enable HTTP basic auth on the Docker registry. Or you can set up SSL on the docker registry with a signed certificate (self-signed certificates need to be added to the Docker daemon before they are trusted though).

Blokje5
  • 4,763
  • 1
  • 20
  • 37
  • Thanks for your answer, I have already done it for cluster and for all the nodes and I could successfully push/pull images from each node as well as from cluster by running "docker push registry-ip:5000/..." but when trying via kaniko, the same error appears. – George Nov 05 '19 at 10:20
  • Hmm, looking at the source code for Kaniko, it seems the insecure-registry flag expects a value (the uri of the registry.) Have you tried supplying the registry to the `--insecure-registry` flag? – Blokje5 Nov 05 '19 at 10:35
  • Yeah, I tried using --insecure-registry registry-ip:5000 but there is the same error, I also tried --insecure but no luck, maybe I have missed something in runners configuration, thanks once again for your help and if you have any other idea please let me know – George Nov 05 '19 at 13:04
  • found a solution? – ThatChrisGuy Dec 06 '19 at 02:13
  • This is caused by use of private IP addresses. You are better of using a domain name if the registry is HTTPS enabled. – MUNGAI NJOROGE Feb 05 '20 at 12:01
0

In case of using the unsecured registry you have to use --insecure option of kaniko executor, for exmaple:

- /kaniko/executor --insecure --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $MY_REGISTRY/$MY_IMAGE:$MY_IMAGE_TAG
Cepr0
  • 28,144
  • 8
  • 75
  • 101