Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Look for usable on-cluster credentials using k8schain #243

Merged
merged 7 commits into from
Jul 21, 2018

Conversation

imjasonh
Copy link
Collaborator

This updates deps and uses k8schain and NewMultiKeychain to attempt to authorize pushes using available image pull secrets.

This change isn't ready to merge, I just wanted to get some initial feedback about the plan and maybe ideas about how I should go about testing this.

@imjasonh imjasonh requested review from mattmoor and priyawadhwa July 18, 2018 22:31
@imjasonh
Copy link
Collaborator Author

Just tried this on my cluster, and got this:

time="2018-07-19T00:24:38Z" level=error msg="serviceaccounts \"default\" is forbidden: User \"system:serviceaccount:default:default\" cannot get serviceaccounts in the namespace \"default\": Unknown user \"system:serviceaccount:default:default\""

Reproducing with this pod.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: build-pod
spec:
  restartPolicy: Never
  initContainers:
  - image: gcr.io/cloud-builders/git
    name: 'git-clone'
    args: ['clone', 'https://gist.github.com/f1fb27779bc17009198e2cef946bf749.git', '/workspace']
    volumeMounts:
    - mountPath: /workspace
      name: workspace

  - image: gcr.io/jasonhall-kube/executor
    name: kaniko
    workingDir: /workspace
    args:
    - --destination=gcr.io/jasonhall-kube/built-with-kaniko-fixed
    volumeMounts:
    - mountPath: /workspace
      name: workspace

  containers:
  - image: ubuntu
    name: nop
    args: ['echo', 'done']

  volumes:
  - name: workspace
    emptyDir: {}

@mattmoor any ideas about what's going wrong here? I'm hoping that k8schain will enable me to push with the cluster's image pull secrets -- it's authorized to pull my kaniko executor image, but kaniko+k8schain isn't able to get to those secrets.

@priyawadhwa
Copy link
Collaborator

It looks like you changed the auth for getting base images, but not for pushing at the end of the build. That might be the issue?

@imjasonh
Copy link
Collaborator Author

Well that would certainly help, wouldn't it 😄

Unfortunately, I don't think that's the problem, since the failure seems to happen long before the image is built or pushed. The full logs from the failing container are:

$ kubectl logs build-pod -c kaniko
time="2018-07-19T01:10:02Z" level=info msg="appending to multi args gcr.io/jasonhall-kube/built-with-kaniko-fixed"
time="2018-07-19T01:10:02Z" level=info msg="Unpacking filesystem of golang:latest..."
time="2018-07-19T01:10:02Z" level=error msg="serviceaccounts \"default\" is forbidden: User \"system:serviceaccount:default:default\" cannot get serviceaccounts in the namespace \"default\": Unknown user \"system:serviceaccount:default:default\""

@@ -91,11 +90,12 @@ func DoBuild(k KanikoBuildArgs) (name.Reference, v1.Image, error) {
if err != nil {
return nil, nil, err
}
auth, err := authn.DefaultKeychain.Resolve(ref.Context().Registry)
k8sc, err := k8schain.NewInCluster(k8schain.Options{})
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NewInCluster will use the pod's serviceaccount identity to try and talk to the API server and read secrets, you want this which I now realize isn't documented. Oops.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh okay. I'll give that a try. Sounds like we need better docs about which is useful in which scenarios, and maybe a rename, since I figured NewInCluster would be the one I wanted while trying to auth from in the cluster.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That worked! 🎉

Copy link
Collaborator

@mattmoor mattmoor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM, thanks for jumping on this @imjasonh

if err != nil {
return nil, nil, err
}
sourceImage, err = remote.Image(ref, remote.WithAuth(auth), remote.WithTransport(http.DefaultTransport))
kc := authn.NewMultiKeychain(authn.DefaultKeychain, k8sc)
sourceImage, err = remote.Image(ref, remote.WithAuthFromKeychain(kc), remote.WithTransport(http.DefaultTransport))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI remote.WithTransport(http.DefaultTransport) is a nop

@priyawadhwa
Copy link
Collaborator

I just merged #244 which moved the auth for getting base images here. I think if you change that to use k8schain we should be good!

@imjasonh imjasonh changed the title [WIP] Look for usable on-cluster credentials using k8schain Look for usable on-cluster credentials using k8schain Jul 21, 2018
@imjasonh
Copy link
Collaborator Author

@priyawadhwa Rebased and updated image_util.go to use k8schain, this should be RFAL.

@mattmoor
Copy link
Collaborator

mattmoor commented Jul 21, 2018

Very eager to see this land :)

thanks @imjasonh and @priyawadhwa

@priyawadhwa
Copy link
Collaborator

LGTM, thanks for making this change!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants