Building images with kaniko and GitLab CI/CD

GitLab 11.2で導入されました。GitLab Runner 11.2以降が必要です。

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.

kaniko solves two problems with using the Docker-in-Docker build method:

Docker-in-Docker requires privileged mode in order to function, which is a significant security concern.
Docker-in-Docker generally incurs a performance penalty and can be quite slow.

要件

In order to utilize kaniko with GitLab, a GitLab Runner using one of the following executors is required:

Building a Docker image with kaniko

When building an image with kaniko and GitLab CI/CD, you should be aware of a few important details:

The kaniko debug image is recommended (gcr.io/kaniko-project/executor:debug) because it has a shell, and a shell is required for an image to be used with GitLab CI/CD.
The entrypoint will need to be overridden, otherwise the build script will not run.
A Docker config.json file needs to be created with the authentication information for the desired container registry.

In the following example, kaniko is used to:

Build a Docker image.
Then push it to GitLab Container Registry.

The job will run only when a tag is pushed. A config.json file is created under /kaniko/.docker with the needed GitLab Container Registry credentials taken from the environment variables GitLab CI/CD provides.

In the last step, kaniko uses the Dockerfile under the root directory of the project, builds the Docker image and pushes it to the project’s Container Registry while tagging it with the Git tag:

build:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
  only:
    - tags

Using a registry with a custom certificate

When trying to push to a Docker registry that uses a certificate that is signed by a custom CA, you might get the following error:

$ /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --no-push
INFO[0000] Downloading base image registry.gitlab.example.com/group/docker-image
error building image: getting stage builder for stage 0: Get https://registry.gitlab.example.com/v2/: x509: certificate signed by unknown authority

This can be solved by adding your CA’s certificate to the kaniko certificate store:

  before_script:
    - mkdir -p /kaniko/.docker
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
    - |
      echo "-----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----" >> /kaniko/ssl/certs/ca-certificates.crt

動作例のビデオ・ウォークスルー

The Least Privilege Container Builds with Kaniko on GitLab video is a walkthrough of the Kaniko Docker Build Guided Exploration project pipeline. It was tested on:

このサンプルは、自分のグループやインスタンスにコピーしてテストすることができます。他のGitLab CIパターンがどのようにデモされているかの詳細は、プロジェクトページで確認できます。

クリエーションラインについて

私たちクリエーションラインは、日本で最も古く2017年にGitLabサービスの提供を開始し、2022年には「Asia-Pacific Partner of the Year」も獲得。GitLabのサブスクリプション販売やテクニカルサポートだけでなく、GitLab Enterpriseの導入支援やGitLabトレーニングなど多様なサービスを提供し、エンタープライズを中心に豊富な実績を誇ります。GitLabに関するお悩みがありましたら、ぜひお気軽にお問い合わせください。日本で唯一、3度にわたるMVPを獲得したGitLabエバンジェリストをはじめとしたエキスパートチームが、あなたの課題解決をご支援します。