GitLab Runner is an application that works with GitLab CI/CD to run jobs in a pipeline.
kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.
The Kubernetes executor, when used with GitLab CI, connects to the Kubernetes API in the cluster creating a Pod for each GitLab CI Job.
kaniko solves two problems with using the Docker-in-Docker https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#use-the-docker-executor-with-the-docker-image-docker-in-docker build method:
Docker-in-Docker requires privileged mode to function, which is a significant security concern.
Docker-in-Docker generally incurs a performance penalty and can be quite slow.
To use kaniko with GitLab, a runner with one of the following executors is required:
- Kubernetes The Kubernetes executor | GitLab - https://docs.gitlab.com/runner/executors/kubernetes.html.
Building a Docker image with kaniko
When building an image with kaniko and GitLab CI/CD, you should be aware of a few important details:
The kaniko debug image is recommended (
gcr.io/kaniko-project/executor:debug) because it has a shell, and a shell is required for an image to be used with GitLab CI/CD.
The entrypoint needs to be overridden, otherwise the build script doesn’t run.
config.jsonfile needs to be created with the authentication information for the desired container registry.
In the following example, kaniko is used to:
Build a Docker image.
Then push it to GitLab Container Registry.
The job runs only when a tag is pushed. A
config.json file is created under
/root/.docker/config.json with the needed GitLab Container Registry credentials taken from the predefined CI/CD variables GitLab CI/CD provides.
In the last step, kaniko uses the Dockerfile under the root directory of the project, builds the Docker image and pushes it to the project’s Container Registry while tagging it with the Git tag:
This flag allows you to pass in ARG values at build time, similarly to Docker. You can set it multiple times for multiple arguments.
Path to the dockerfile to be built. (default “Dockerfile”)
Set this flag if you only want to build the image, without pushing to a registry.
See - https://github.com/GoogleContainerTools/kaniko#additional-flags to learn more.
Using a registry with a custom certificate
When trying to push to a Docker registry that uses a certificate that is signed by a custom CA, you might get the following error:
/kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --no-push
This can be solved by adding your CA’s certificate to the kaniko certificate store:
Runner Kubernetes executor DNS
Pod’s DNS Config gives users more control on the DNS settings of the created build Pods.
concurrent = 1
/etc/resolv.conf in shell script.
Use statically-defined credentials
There are two approaches that you can take to access a private registry. Both require setting the CI/CD variable DOCKER_AUTH_CONFIG with appropriate authentication information.
Per-job: To configure one job to access a private registry, add
DOCKER_AUTH_CONFIGas a CI/CD variable.
Per-runner: To configure a runner so all its jobs can access a private registry, add
DOCKER_AUTH_CONFIGas an environment variable in the runner’s configuration.
Variable value is empty
If the variable is marked as
protected, please remember to also mark the corresponding branch as
protected, otherwise the obtained variable value is empty.