Member-only story
How to Build Containers in a Kubernetes Cluster With Kaniko
Automate container builds within K8s without a Docker daemon
Traditionally, organisations have built Docker images outside the Kubernetes cluster. However, with more and more companies adopting Kubernetes and the demand for virtual machines decreasing day by day, it makes sense to run your continuous integration builds within the Kubernetes cluster.
Building Docker images within a container is a security challenge because the container needs access to the worker node file system to connect with the Docker daemon.
You also need to run your container in privileged mode. That practice isn’t recommended as it opens up your nodes to numerous security threats. Most organisations rely on persistent external volumes for storing data, and in no case should a container have direct access to the node filesystem.
Running a container in privileged mode is a terrible idea as it provides the container root access to the host. That gives cybercriminals opportunities to compromise your system, potentially jeopardising an entire worker node instead of just the container.
Google solves this problem by providing a tool called Kaniko. Kaniko helps you build container images within a container without any access to the Docker daemon. That way, you can execute your build jobs within containers without granting any access to the host filesystem.
You just need to create a build manifest as a Kubernetes batch job and apply it to the cluster using any CI tool of your choice. The job takes responsibility for building your image and uploading it to the specified container registry.
How Kaniko works
Kaniko:
- Reads the specified
Dockerfile. - Extracts the base image (specified in the
FROMdirective) into the container filesystem. - Runs each command in the
Dockerfileindividually. - Takes a snapshot of the userspace filesystem after every run.
- Appends the snapshot layer to the base layer on each run.
Because of this, Kaniko does not depend on a Docker daemon.
