kaniko: Build container images in Kubernetes
Daemon-free Docker image builder for Kubernetes clusters.
Learn more about kaniko
kaniko is a container image builder designed to run within Kubernetes clusters and other containerized environments. It parses Dockerfile instructions and executes them in userspace without depending on a Docker daemon, using the kaniko executor image as its primary distribution method. The tool supports multiple build contexts including Git repositories, Azure Blob Storage, and standard input, with layer caching capabilities and integration with various container registries. Common deployment scenarios include Kubernetes CI/CD pipelines, Google Cloud Build, and other environments where Docker daemon access is unavailable or restricted.
Daemonless Container Builds
Executes Dockerfile instructions entirely in userspace without requiring Docker daemon or privileged access. Enables container image building in restricted environments like standard Kubernetes clusters and serverless CI/CD platforms.
Multiple Build Contexts
Accepts build contexts from Git repositories, Azure Blob Storage, local directories, and standard input. Eliminates dependency on local filesystem access for flexible integration with diverse CI/CD workflows.
Layer and Base Caching
Caches intermediate layers and base images in remote registries for faster subsequent builds. Multi-stage builds benefit from intelligent layer reuse, reducing build times in CI/CD pipelines.
package main
import (
"github.com/GoogleContainerTools/kaniko/pkg/executor"
"github.com/GoogleContainerTools/kaniko/pkg/config"
)
func buildImage() error {
opts := &config.KanikoOptions{
DockerfilePath: "Dockerfile",
Destinations: []string{"myregistry.io/myapp:latest"},
SrcContext: "/workspace",
}
return executor.DoBuild(opts)
}Patches CVE-2025-21613 in go-git and upgrades CA certificates to Debian Bookworm; fixes panic when image name matches stage alias.
- –Upgrade to v1.24.0 to resolve CVE-2025-21613 in go-git dependency (now v5.13.1).
- –Verify builds using stage aliases that match image names no longer panic during execution.
Patch release updating dependencies with no breaking changes or new features.
- –Update to latest executor image (gcr.io/kaniko-project/executor:v1.23.2) to pick up dependency refreshes including moby/buildkit and docker/docker.
- –Release notes do not specify breaking changes, security fixes, or functional improvements beyond routine dependency maintenance.
Patch release fixes regression where --no-push incorrectly blocked intermediate cache layer pushes; clarifies flag behavior in docs.
- –Restore cache layer pushes when using --no-push flag, reversing unintended behavior change from prior release.
- –Review --no-push and --no-push-cache flag usage if caching workflows broke; updated README documents expected behavior.
Top in Cloud & DevOps
Related Repositories
Discover similar tools and frameworks used by developers
setup-node
Node.js version management and dependency caching for workflows.
compose
YAML-defined container lifecycle management and orchestration tool.
portainer
Web-based management platform for multi-orchestrator container environments.
node_exporter
Collects Unix system metrics for Prometheus monitoring.
kube-state-metrics
Generates Prometheus-compatible metrics from Kubernetes API objects, providing comprehensive observability for cluster resources and workload health monitoring.