googlecontainertools / kaniko Goto Github PK
View Code? Open in Web Editor NEWBuild Container Images In Kubernetes
License: Apache License 2.0
Build Container Images In Kubernetes
License: Apache License 2.0
See #1 for details
See #1 for details
See #1 for details
See #1 for details
Congratulations on the launch, and thank you for investing in the direction of secure builds.
From the release's blog post:
an open-source tool for building container images from a Dockerfile even without privileged root access.
Since it doesn’t require any special privileges or permissions, you can run kaniko in a standard Kubernetes cluster, Google Kubernetes Engine, or in any environment that can’t have access to privileges or a Docker daemon.
Unfortunately, running a container as root
inside a Kubernetes cluster, does indeed mean giving special privileges/permissions (e.g. PodSecurityPolicy
). Under certain definitions of security where state/resourceful actors are involved, running any process (e.g. kaniko
) as the root
user inside a Docker container, and executing arbitrary code inside that process (e.g. kaniko
doing executing a RUN
statement that involve 3rd party dependencies), can be considered equivalent to giving root
access to the underlying nodes. At least, until userns support is added to Kubernetes, or until alternative runtime become stable (e.g. Kata containers
).
Therefore, I am saddened to notice that the previous statements are a bit misleading, and that kaniko
will not help us get rid of the isolated nodes/VMs we must use for Gitlab/Jenkins CI.
As an actionable to this issue, I suggest adding relevant notes regarding the security aspects in the README.
See #1 for details
See #1 for details
See #1 for details
tried to set a LABEL but the value in the config was nil so everything broke. should make sure this is fixed for all metadata commands
This is to ensure that the run commands don't inherit kaniko image level environment variables.
Currently environment variables in the executable image are set to defaults, instead they should be set to those in the base image config
From docs for ADD command:
In the case where <src> is a remote file URL, the destination will have permissions of 600
See #1 for details
In many cases, mtime should be sufficient for tracking changes. We should add a flag that only looks at the mtime instead of checking the whole file.
I know MAINTAINER is deprecated and all, but should the build really crash when MAINTAINER is found as command?
See here for more information
We should use something like https://github.com/genuinetools/amicontained
This includes splitting out non-reproducible tests to a different test type.
See #1 for details
See #1 for details
See #1 for details
A similar project called the "Container Builder Interface" (with more of a slant on defining an interface) was started a while ago. Have you looked a this, and is there any overlap that could result in a collaboration between the two projects?
See #1 for details
See #1 for details
See #1 for details
See #1 for details
<key>:<value>
pairs in imageADD
Add has two forms:
ADD [--chown=<user>:<group>] <src>... <dest>
ADD [--chown=<user>:<group>] ["<src>",... "<dest>"]
Copy new files, directories, or remote URLs from <src>
to the <dest>
Multiple sources may be specified, their paths are interpreted as relative to the context of the build
Support for any <src>
to contain wildcards
<dest>
is absolute path, or relative to WORKDIR command
Specify UID/GID with --chown flag
If <src>
is local tar archive, it is unpacked to destination directory
COPY
COPY has two forms:
-COPY [--chown=<user>:<group>] <src>... <dest>
-COPY [--chown=<user>:<group>] ["<src>",... "<dest>"]
<src>
We should scan a directory for Dockerfiles and create one test per Dockerfile instead of adding config.
Instead of looking at the entire filesystem for snapshotting, we only need to add the files changed by ADD/COPY
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.