DevOps Intermediate
Kaniko — Docker Build without Docker¶
KanikoDockerKubernetesCI/CD 5 min read
Kaniko enables building Docker images in Kubernetes without a Docker daemon. Secure CI/CD in containers.
Why Kaniko¶
Docker-in-Docker requires privileged mode — a security risk. Kaniko builds images in userspace without a daemon.
- No Docker daemon
- No privileged mode
- Runs as a regular container in K8s
- Compatible with most Dockerfile instructions
Kubernetes Job¶
apiVersion: batch/v1
kind: Job
metadata:
name: kaniko-build
spec:
template:
spec:
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
args:
- --dockerfile=Dockerfile
- --context=git://github.com/org/app.git#refs/heads/main
- --destination=registry.example.com/app:v1.2.3
- --cache=true
- --cache-repo=registry.example.com/app/cache
volumeMounts:
- name: docker-config
mountPath: /kaniko/.docker
volumes:
- name: docker-config
secret:
secretName: regcred
items:
- key: .dockerconfigjson
path: config.json
restartPolicy: Never
GitLab CI Integration¶
build:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
- |
/kaniko/executor \
--context $CI_PROJECT_DIR \
--dockerfile $CI_PROJECT_DIR/Dockerfile \
--destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG \
--cache=true
Summary¶
Kaniko is a secure alternative to Docker-in-Docker for CI/CD in Kubernetes. No privileged mode, no daemon.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.