Using Kaniko for Secure, Privilege‑Free Container Image Builds

Kaniko is an open‑source Google project introduced in 2018 to build container images without requiring a privileged Docker daemon, offering a secure alternative for CI/CD pipelines.

Before using Kaniko, the article reviews common image‑building approaches: standard docker build -t your_registry/your_repository:tag and docker push your_registry/your_repository:tag , building inside a container by mounting the host Docker socket ( docker run -it -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/kaniko:/tmp/kaniko docker ), and Docker‑in‑Docker (dind) with docker run --rm -it --privileged docker:18.06-dind , highlighting their security drawbacks.

Kaniko runs as a container, reads a Dockerfile, context, and destination registry, executes each Dockerfile instruction in user space, creates filesystem snapshots, and pushes the final image, making it suitable for Kubernetes clusters where the Docker daemon is unavailable.

The guide provides a step‑by‑step demo: creating a Docker Hub credential file using export AUTH=$(echo -n YOUR_USERNAME:YOUR_PASSWORD | base64) cat > config.json <<-EOF { "auths": { "https://index.docker.io/v1/": { "auth": "${AUTH}" } } } EOF then running the Kaniko executor image with: docker run \ --interactive -v `pwd`/config.json:/kaniko/.docker/config.json gcr.io/kaniko-project/executor:latest \ --context git://github.com/traefik/whoami \ --dockerfile Dockerfile \ --destination=xxx/kaniko-demo:v1 , and verifying the built image by listing it ( docker images|grep kaniko-demo ), pulling it from Docker Hub, and running a container ( docker run -d -p 8011:80 peishunwu/kaniko-demo:v1 ).

Additional commands show how to test the service with curl localhost:8011 , confirming that the image was successfully built and deployed without privileged access.