Kaniko

Jan 1, 0001

Definition

Kaniko is an open-source tool designed to build container images from a Dockerfile, inside a container or Kubernetes cluster, without requiring privileged access. It is particularly useful in environments where the Docker daemon cannot be used due to security restrictions, as it executes builds in userspace and does not require root privileges, enhancing security by reducing the attack surface.

Secure Settings Example

apiVersion: batch/v1
kind: Job
metadata:
  name: kaniko-build
spec:
  template:
    spec:
      containers:
      - name: kaniko
        image: gcr.io/kaniko-project/executor:latest
        args:
        - "--context=dir://workspace/"
        - "--destination=gcr.io/my-project/my-image:latest"
        securityContext:
          runAsNonRoot: true
          capabilities:
            drop:
            - ALL
      restartPolicy: Never

Insecure Settings Example

apiVersion: batch/v1
kind: Job
metadata:
  name: kaniko-build
spec:
  template:
    spec:
      containers:
      - name: kaniko
        image: gcr.io/kaniko-project/executor:latest
        args:
        - "--context=dir://workspace/"
        - "--destination=gcr.io/my-project/my-image:latest"
        securityContext:
          privileged: true
      restartPolicy: Never