If we want to be certain that what we’re running is what we built, we might need to sign container (Docker) images, as well as other types of artifacts. That’s where Cosign jump in. Sigstore Cosign makes signatures invisible, especially if we combine it with Kyverno or other Kubernetes admission controller solutions.Continue reading
Is Dockerfile only for building container images or we can do more with it? How about using Docker multi-stage builds to compile binaries, run tests, and other operations typically performed before building container images?Continue reading
How do we build container images inside containers running in a Kubernetes cluster? Docker is a bad option since it cannot run inside containers. Using it requires communication to the Docker engine running in cluster nodes. Even if that security concern is not enough, Dockershim is deprecated in Kubernetes 1.20 and will be (or already is) removed from 1.22. That means that alternative container engines like ContainerD will take its place. In other words, using Docker is not even an option anymore.
Kaniko comes to the rescue. It is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.