Kaniko "error checking push permissions" in CI
Before building, Kaniko does a permission check against the destination so it fails fast rather than after a long build. If credentials are missing, wrong, or the host is unreachable, this pre-check fails.
What this error means
Kaniko aborts early with "error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again".
error checking push permissions -- make sure you entered the correct tag name,
and that you are authenticated correctly, and try again: checking push permission
for "registry.example.com/app:latest": UNAUTHORIZED: authentication requiredCommon causes
Missing or wrong registry credentials
The permission probe uses the same /kaniko/.docker/config.json as the push. No valid auth for the destination host fails the check up front.
A malformed or unreachable destination
A wrong hostname, a typo in the tag, or a registry the runner cannot reach makes the pre-flight check fail.
How to fix it
Provide credentials before the executor runs
Write a valid Docker config so the pre-check authenticates, exactly as the push would.
mkdir -p /kaniko/.docker
echo "{\"auths\":{\"registry.example.com\":{\"auth\":\"${AUTH_B64}\"}}}" \
> /kaniko/.docker/config.jsonSkip the check only when it is a false negative
If the destination is correct but the pre-check probe misbehaves (for example a registry that disallows the probe), you can defer it with --skip-push-permission-check, but fix real auth first.
/kaniko/executor --skip-push-permission-check \
--destination registry.example.com/app:latestHow to prevent it
- Set up the Docker config before Kaniko runs so the pre-check passes.
- Verify the --destination hostname and tag are correct.
- Prefer failing fast on auth here over discovering it after a long build.