CI/CD Kaniko - can't create /kaniko/.docker/config.json: Permission denied


I am trying to build docker image using kaniko. I have configured my job according to documentation (Use kaniko to build Docker images | GitLab).

My .gitlab-ci.yml file:

  • build

stage: build
- openshift
entrypoint: [""]
- mkdir -p /kaniko/.docker
- echo “{“auths”:{”$CI_REGISTRY":{“username”:"$CI_REGISTRY_USER",“password”:"$CI_REGISTRY_PASSWORD"}}}" > /kaniko/.docker/config.json
- /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_BUILD_REF_NAME

echo “{“auths”:{”$CI_REGISTRY":{“username”:"$CI_REGISTRY_USER",“password”:"$CI_REGISTRY_PASSWORD"}}}" > /kaniko/.docker/config.json
/sh: eval: line 107: can’t create /kaniko/.docker/config.json: Permission denied

I seems like CI job user doesn’t have permissions under /kaniko path.

Gitlab runner is running on openshift and is configured with openshift gitlab runner operator.

Any idea how to solve this?

Thank you and best regards,


I have solved permission denied issue by building custom kaniko docker image like this: dockerfiles/kaniko-openshift at master · ContainerSolutions/dockerfiles · GitHub

No I have issue with accessing container registry inside the project I am running the pipeline inside.

  • mkdir -p /kaniko/.docker
  • echo “{“auths”:{”$CI_REGISTRY":{“username”:"$CI_REGISTRY_USER",“password”:"$CI_REGISTRY_PASSWORD"}}}" > /kaniko/.docker/config.json
  • /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_BUILD_REF_NAME --skip-tls-verify --skip-tls-verify-pull -v trace

/kaniko/.docker/config.json has correct values inside.


$ /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_BUILD_REF_NAME --skip-tls-verify --skip-tls-verify-pull -v trace

28DEBU[0000] Copying file /builds/…/Dockerfile to /kaniko/Dockerfile

29TRAC[0000] Adding /var/run to initialIgnoreList

30E0407 13:40:00.301507 20 aws_credentials.go:77] while getting AWS credentials NoCredentialProviders: no valid providers in chain. Deprecated.

31 For verbose messaging see aws.Config.CredentialsChainVerboseErrors

32error checking push permissions – make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for “gitlab.XXXX:5050/…”: creating push check transport for gitlab.XXXX:5050 failed: GET https://gitlabXXXX/jwt/auth?scope=repository…%2Cpull&service=container_registry: DENIED: access forbidden

If anybody could point me to the right direction to solve this I would appreciate it very much.

Thank you all and best regards,

The custom kaniko image you built using your script set home dir to /.

It seems like kaniko reads docker authentication infromation from ${HOME}/.docker folder.

However even with this problem solved, I don’t think it’s possible to build docker image using kaniko as non-root users.