Kaniko: Unable to push to a self-signed locally hosted docker registry
I have setup a self signed private registry. I am using kaniko to build image and push to the the private registry.
Actual behavior
The following error is noticed in the logs.
error checking push permissions --
make sure you entered the correct tag name, and that you are authenticated correctly,
and try again:
checking push permission for "10.103.225.30:443/sample53:ashwini":
creating push check transport for 10.103.225.30:443 failed:
Get http://10.103.225.30:443/v2/: net/http:
HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"
Expected behavior
since --insecure flag is not provided, kaniko should use https instead of http
To Reproduce
Steps to reproduce the behavior:
- setup a self-signed private docker registry
- kaniko yaml file used to generate the image:
~/ws/selfsignedRegistry > cat kanikoDeployment.yaml
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
restartPolicy: Never
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
imagePullPolicy: Always
args: ["--dockerfile=/ws/image.Dockerfile",
"--context=dir://ws",
"--verbosity", "debug",
"--destination=10.103.225.30:443/sample53:ashwini",
]
volumeMounts:
- name: registry-cert
mountPath: /cert
readOnly: true
- name: dockerfile-storage
mountPath: /ws
- name: kaniko-secret
mountPath: /secret
volumes:
- name: dockerfile-storage
hostPath:
path: /data
type: Directory
- name: registry-cert
secret:
secretName: registry-cert
- name: kaniko-secret
secret:
secretName: dodo-secret
Additional Information
- Dockerfile
$ cat /data/image.Dockerfile
FROM alpine
echo ollo
- Build Context
Please provide or clearly describe any files needed to build the Dockerfile (ADD/COPY commands) Kaniko Image (fully qualified with digest)
Triage Notes for the Maintainers
| Description | Yes/No |
|----------------|---------------|
| Please check if this a new feature you are proposing |- - [ ]
| Please check if the build works in docker but not in kaniko |- - [ ]
| Please check if this error is seen when you use--cacheflag |- - [ ]
| Please check if your dockerfile is a multistage dockerfile |- - [ ]
ashwinkp8
>All comments
This issue seams to originate from private IP filters. When an IP is private, kaniko results to using http traffic. This can be referred here:
If think more control can be granted to users to overcome this issue when testing their infrastructure. Sometimes you don't have URLs to use for this case. However, if you use domain name eg. example.com, the issue is fixed.
mungaij83
on 5 Feb 2020
Related issues
danilorsilva
路
3Comments
fkorotkov
路
3Comments
tejal29
路
4Comments
Vrtak-CZ
路
5Comments
priyawadhwa
路
4Comments
Most helpful comment
This issue seams to originate from private IP filters. When an IP is private, kaniko results to using http traffic. This can be referred here:
https://github.com/GoogleContainerTools/kaniko/blob/790ba99477d15dfbb3b218937d1499cb4189aaf9/vendor/github.com/google/go-containerregistry/pkg/name/registry.go#L68
If think more control can be granted to users to overcome this issue when testing their infrastructure. Sometimes you don't have URLs to use for this case. However, if you use domain name eg. example.com, the issue is fixed.