https://vo.rs/tags/kaniko/Kaniko - Tag - vo.rsHugo -- gohugo.ioenThis work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.Thu, 21 Nov 2024 14:00:00 +0000https://vo.rs/story/kaniko-building-container-images-inside-kubernetes/<p>There is an awkward chicken-and-egg problem at the heart of running CI inside Kubernetes: you want to build container images, but the traditional way to build a container image is to run <code>docker build</code>, and <code>docker build</code> needs a Docker daemon, and a Docker daemon needs root and a bunch of kernel features that you really, really should not be handing to a CI pod. The old hack — mounting the host&rsquo;s Docker socket into the build pod — is the security equivalent of leaving your front door open because the lock is fiddly. Anything that can talk to that socket effectively owns the node.</p>Thu, 21 Nov 2024 14:00:00 +0000