Kaniko项目最初于2018年由谷歌提出。Kaniko的创建之初是寻求在执行容器镜像构建时消除对特权账户的依赖。无特权的容器镜像构建是注重安全性的公司最需要的功能之一。这与在Kubernetes集群中构建容器镜像类似。
在了解如何使用Kaniko构建镜像之前,我们先了解一下几种构建镜像的方式。
docker构建镜像
docker build -t your_registry/your_repository:tag
然后用 docker push 将镜像推送到镜像仓库。
docker push your_registry/your_repository:tag
容器内构建镜像
docker run -it -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/kaniko:/tmp/kaniko docker
挂载宿主机的socket文件到容器内部,然后在容器内部用 docker build 构建镜像
$ docker build -t dllhb/kaniko-test:v0.1 .
Sending build context to Docker daemon 5.632kB
Step 1/4 : FROM alpine:latest
latest: Pulling from library/alpine89d9c30c1d48: Already existsDigest: sha256:c19173c5ada610a5989151111163d28a67368362762534d8a8121ce95cf2bd5a
Status: Downloaded newer image for alpine:latest ---> 965ea09ff2ebStep 2/4 : MAINTAINER <devops008@sina.com xiaomage>
---> Running in 8a2b1dc13d6bRemoving intermediate container 8a2b1dc13d6b
---> bd535532278dStep 3/4 : RUN apk add busybox-extras curl ---> Running in fc254ad3d088fetch http://dl-cdn.alpinelinux.org/alpine/v3.10/main/x86_64/APKINDEX.tar.gzfetch http://dl-cdn.alpinelinux.org/alpine/v3.10/community/x86_64/APKINDEX.tar.gz
(1/5) Installing busybox-extras (1.30.1-r3)
Executing busybox-extras-1.30.1-r3.post-install
(2/5) Installing ca-certificates (20190108-r0)
(3/5) Installing nghttp2-libs (1.39.2-r0)
(4/5) Installing libcurl (7.66.0-r0)
(5/5) Installing curl (7.66.0-r0)
Executing busybox-1.30.1-r2.trigger
Executing ca-certificates-20190108-r0.trigger