Post

How to Use Kaniko for Building Container Images with GitHub Actions, Cloud Build, and CircleCI

Posted
By Joey
3 min read

How to Use Kaniko for Building Container Images with GitHub Actions, Cloud Build, and CircleCI

Building container images efficiently and securely is essential for modern DevOps workflows. Kaniko is an excellent tool designed for container image building in environments without Docker installed. Unlike Docker, Kaniko runs entirely in userspace, making it a secure and lightweight choice for CI/CD pipelines.

In this article, we’ll cover:

  • What Kaniko is and why you should use it.
  • How to integrate Kaniko with GitHub Actions.
  • How to use Kaniko with Google Cloud Build.
  • How to implement Kaniko in CircleCI workflows.

What is Kaniko?

Kaniko is an open-source tool by Google that builds container images directly from a Dockerfile and pushes them to a container registry. It is particularly useful in Kubernetes and CI/CD environments where Docker might not be available due to security or performance reasons.

Why Use Kaniko?

  1. Dockerless Builds: Kaniko does not require the Docker daemon, reducing security risks.
  2. Kubernetes-Native: Designed to run as a Kubernetes pod or standalone.
  3. Optimized for CI/CD Pipelines: Ideal for building and pushing images in CI/CD environments.

Setting Up Kaniko with GitHub Actions

GitHub Actions provides a powerful framework for automating CI/CD pipelines. Here’s how you can use Kaniko to build and push images to a container registry.

Prerequisites

  • A GitHub repository.
  • Access to a container registry (e.g., Docker Hub, AWS ECR, or Google Container Registry).
  • A service account or credentials for registry authentication.

Example Workflow

Below is an example GitHub Actions workflow to build and push an image using Kaniko:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

name: Build and Push Image

on:
  push:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Code
        uses: actions/checkout@v3

      - name: Set up Kaniko
        uses: crazy-max/ghaction-docker-buildx@v2

      - name: Build and Push Image with Kaniko
        run: |
          mkdir -p /kaniko/.docker
          echo "{\"auths\":{\"<registry_url>\":{\"username\":\"$DOCKER_USERNAME\",\"password\":\"$DOCKER_PASSWORD\"}}}" > /kaniko/.docker/config.json
          /kaniko/executor \
            --dockerfile=Dockerfile \
            --context=. \
            --destination=<registry_url>/<image_name>:latest
        env:
          DOCKER_USERNAME: $
          DOCKER_PASSWORD: $

Key Points

  • Replace <registry_url> and <image_name> with your container registry URL and image name.
  • Add DOCKER_USERNAME and DOCKER_PASSWORD as secrets in your GitHub repository.

Using Kaniko with Google Cloud Build

Google Cloud Build is a fully managed CI/CD platform that integrates seamlessly with Kaniko for building container images.

Prerequisites

  • A Google Cloud project.
  • A storage bucket for Kaniko’s build context.
  • Permissions to write to the Container Registry or Artifact Registry.

Example Configuration

Here’s an example cloudbuild.yaml file for using Kaniko in Cloud Build:

1
2
3
4
5
6
7
8
9
10
11
12
13

steps:
  - name: 'gcr.io/kaniko-project/executor:latest'
    args:
      - "--dockerfile=Dockerfile"
      - "--context=gs://<your-bucket-name>/<path-to-context>/"
      - "--destination=gcr.io/<your-project-id>/<image-name>:latest"
    env:
      - "GOOGLE_APPLICATION_CREDENTIALS=/secret/gcp-key.json"

availableSecrets:
  secretManager:
    - versionName: "projects/<your-project-id>/secrets/<secret-name>/versions/latest"
      mountPath: "/secret/"

Key Points

  • Replace <your-bucket-name>, <your-project-id>, and <image-name> with your specific values.
  • Use Google Cloud Secret Manager to securely store and access service account keys.

Implementing Kaniko with CircleCI

CircleCI’s flexibility allows you to integrate Kaniko for container image builds.

Prerequisites

  • A CircleCI project linked to your repository.
  • Registry credentials stored as CircleCI environment variables.

Example Configuration

Here’s an example config.yml file for using Kaniko in CircleCI:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

version: 2.1

jobs:
  build:
    docker:
      - image: gcr.io/kaniko-project/executor:latest
    steps:
      - checkout

      - run:
          name: Build and Push Image with Kaniko
          command: |
            mkdir -p /kaniko/.docker
            echo "{\"auths\":{\"$REGISTRY_URL\":{\"username\":\"$DOCKER_USERNAME\",\"password\":\"$DOCKER_PASSWORD\"}}}" > /kaniko/.docker/config.json
            /kaniko/executor \
              --dockerfile=Dockerfile \
              --context=. \
              --destination=$REGISTRY_URL/$IMAGE_NAME:latest

workflows:
  version: 2
  build-and-push:
    jobs:
      - build

Key Points

  • Set REGISTRY_URL, DOCKER_USERNAME, and DOCKER_PASSWORD as environment variables in CircleCI.
  • Replace $IMAGE_NAME with your desired image name.

Conclusion

Kaniko is a versatile and secure tool for building container images in CI/CD environments. Whether you’re using GitHub Actions, Google Cloud Build, or CircleCI, Kaniko integrates seamlessly to streamline your workflows. By leveraging Kaniko, you can build images efficiently without needing a Docker daemon, enhancing both security and performance.

Start using Kaniko today to optimize your container image builds!

CI
kaniko ci
This post is licensed under CC BY 4.0 by the author.