Kaniko: Cannot copy Dockerfile

Have the same problem with OpenShift (running under random user id)

Use image: gcr.io/kaniko-project/executor:debug, connected to bash and manually tried to kick build using

/kaniko/executor --dockerfile Dockerfile --context /docker --no-push -v debug

and got back
DEBU[0000] Copying file /docker/Dockerfile to /kaniko/Dockerfile Error: error resolving dockerfile path: copying dockerfile: open /kaniko/Dockerfile: permission denied

Folder permissions (docker is mounted volume)

drwxrwsrwx    2 0        10588200        24 Jun 20 02:31 docker
drwxr-xr-x    2 0        0               66 Jun 19 19:03 etc
drwxr-xr-x    1 0        0               21 Jun 19 18:01 kaniko
dr-xr-xr-x  260 0        0                0 Jun 19 19:03 proc

Hello,

Did anyone find a workaround or something else to make it working with openshift ? Or do we have any update on this issue ? Because I don't want to enable anyuid on our cluster.

Thanks.

Looking at tekton catalog, they would show you how to build your images using a buildah container, which seems to work just fine on OpenShift.

See: https://github.com/tektoncd/catalog/blob/master/buildah/buildah.yaml

Sidenote, as I'm struggling with weird Buildah errors (eg: can't change date on files and other permission denied, that would occur after installing packages, broken pipes, i/o errors, ...). You do not need adding your ServiceAccount to any SCC, using Kaniko.

I can't explain how this is possible, though I can confirm that, creating a SA dedicated to image builds, and granting it with the system:image-builder role (pushing images/OpenShift context), I can build my images.

oc create sa tkn
oc adm policy add-role-to-user system:image-builder -z tkn

Task:

apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: kaniko-build
spec:
  inputs:
    params:
    - name: fromimage
      description: Forces FROM in Dockerfile.
      default: ""
      type: string
    - name: dockerfile
      description: Path to the Dockerfile to build.
      default: ./Dockerfile
    - name: CONTEXT
      description: The build context used by Kaniko.
      default: ./
    - name: EXTRA_ARGS
      default: ""
    resources:
    - name: source
      type: git
  outputs:
    resources:
    - name: image
      type: image
  steps:
  - name: patch-from
    image: quay.io/buildah/stable
    workingDir: /workspace/source
    command:
    - /bin/bash
    - -c
    - if test "$(inputs.params.fromimage)"; then sed -i "s|^[ ]*FROM[ ]*[^ ]*$|FROM $(inputs.params.fromimage)|" "$(inputs.params.dockerfile)"; fi
  - name: build-and-push
    workingdir: /workspace/source
    image: gcr.io/kaniko-project/executor:v0.13.0
    env:
    - name: DOCKER_CONFIG
      value: /builder/home/.docker
    command:
    - /kaniko/executor
    - $(inputs.params.EXTRA_ARGS)
    - --skip-tls-verify-pull
    - --skip-tls-verify
    - --dockerfile=$(inputs.params.dockerfile)
    - --context=/workspace/source/$(inputs.params.CONTEXT)
    - --destination=$(outputs.resources.image.url)
    resources:
      limits:
        cpu: 500m
        memory: 4Gi
      requests:
        cpu: 100m
        memory: 2Gi
    securityContext:
      runAsUser: 0

Pipeline:

apiVersion: tekton.dev/v1alpha1
kind: Pipeline
metadata:
  name: kaniko-build
spec:
  params:
  - default: ""
    description: Forces FROM in Dockerfile.
    name: fromimage
    type: string
  resources:
  - name: app-git
    type: git
  - name: app-image
    type: image
  tasks:
  - name: build
    params:
    - name: fromimage
      value: "$(params.fromimage)"
    resources:
      inputs:
      - name: source
        resource: app-git
      outputs:
      - name: image
        resource: app-image
    taskRef:
      name: kaniko-build

Pipelinerun:

apiVersion: tekton.dev/v1alpha1
kind: PipelineRun
metadata:
  name: build-java-kaniko
spec:
  pipelineRef:
    name: kaniko-build
  resources:
  - name: app-git
    resourceRef:
      name: java-git
  - name: app-image
    resourceRef:
      name: java-img
  serviceAccount: tkn

Running as root seems to fix it.
securityContext: runAsUser: 0

Running as root seems to fix it.
securityContext: runAsUser: 0

AFAIK kaniko must run as root at this time. It's something we've discussed fixing but I don't think has been addressed yet.

Hi I am still running into the same issue. Is there a resolution for this @tejal29

Error: error resolving dockerfile path: copying dockerfile: creating file: open /kaniko/Dockerfile: permission denied