Kubernetes) Container안에서, Image 빌드 가능한가요? (Part 2: Kaniko)
지난 포스팅에서는 Docker in Docker를 이용해서 image를 빌드했어요.
그런데 굳이 Image 빌드만 하면되는데 docker를 사용해야할까요?
예상 독자는 아래와 같습니다.
- Image 빌드에 굳이 Docker를 쓰고 싶지 않으신 분
- 보안에 취약한 Docker in Docker를 사용하고 싶지 않으신 분
- Kaniko가 궁금하신 분
목차
내용
1. Kaniko란?
홈페이지: https://github.com/GoogleContainerTools/kaniko
한줄 요약: kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.
image: gcr.io/kaniko-project/executor
를 이용해서 Image를 빌드할 수 있어요.
2. 구조 살펴보기
Dockerfile이 이미 존재하고, 바로 읽어서 실행(build/push)하는 형식이에요.아래는 공식문서의 설명인데, 조금 헷갈려요.
apiVersion: v1
kind: Pod
metadata:
name: kaniko
spec:
containers:
- name: kaniko
image: gcr.io/kaniko-project/executor:latest
args:
- "--dockerfile=<path to Dockerfile within the build context>"
- "--context=s3://<bucket name>/<path to .tar.gz>"
- "--destination=<aws_account_id.dkr.ecr.region.amazonaws.com/my-repository:my-tag>"
volumeMounts:
# when not using instance role
- name: aws-secret
mountPath: /root/.aws/
restartPolicy: Never
volumes:
# when not using instance role
- name: aws-secret
secret:
secretName: aws-secret
3. 테스트하기
1. Private Docker Registry 만들기
- 저는 nexus를 pod로 띄웠습니다.(생략)
k8s secret 만들기
$ kubectl create secret \
docker-registry regcred \
--docker-server=172.31.**:.**:31216 \
--docker-username=tedkim
--docker-password=tedkimtedkim
2. PVC 만들어서, Dockerfile 만들기
nginx pod를 실행하고, kubectl exec -it로 들어가서 Dockerfile을 만들어줬어요 (이것도 생략)
$ /home/ubuntu/1_k8s_install/kaniko/data/kaniko
$ cat dockerfile
FROM ubuntu
ENTRYPOINT ["/bin/bash", "-c", "echo hello"]
3. 공식 예시 수정하기
- pod.yaml
https://github.com/GoogleContainerTools/kaniko/blob/v1.16.0/examples/pod.yaml
image: gcr.io/kaniko-project/executor:latest
args: ["--dockerfile=/workspace/dockerfile",
"--context=dir://workspace",
- "--destination=<user-name>/<repo>"] # replace with your dockerhub account
+ "--destination=172.31.**.**:31216/admin/hgkim:1.0.0"]
- volume.yaml
https://github.com/GoogleContainerTools/kaniko/blob/v1.16.0/examples/volumes.yaml
accessModes:
- ReadWriteOnce
- storageClassName: local-storage
+ storageClassName: openebs-hostpath
- pvc 수정하기
https://github.com/GoogleContainerTools/kaniko/blob/v1.16.0/examples/volumes-claim.yaml
accessModes:
- ReadWriteOnce
- storageClassName: local-storage
+ storageClassName: openebs-hostpath #local-storage
hostPath:
- path: <local-directory> # replace with local directory, such as "/home/<user-name>/kaniko"
+ path: /home/ubuntu/1_k8s_install/kaniko/data/kaniko
로그는 다음과 같아요
$ k logs kaniko
FO[0000] Retrieving image manifest ubuntu
INFO[0000] Retrieving image ubuntu from registry index.docker.io
INFO[0001] Built cross stage deps: map[]
INFO[0001] Retrieving image manifest ubuntu
INFO[0001] Returning cached image manifest
INFO[0001] Executing 0 build triggers
INFO[0001] Building stage 'ubuntu' [idx: '0', base-idx: '-1']
INFO[0001] Skipping unpacking as no commands require it.
INFO[0001] ENTRYPOINT ["/bin/bash", "-c", "echo hello"]
INFO[0001] Pushing image to 172.31.**.**:31216/admin
INFO[0003] Pushed 172.31.**.**:31216/admin@sha256:fbe730ed30c903c335bc9d6598d7a819d8885b0948cd8c4067c4743a4ce9b1d4
nexus에도 저장이 잘 되었다는걸 볼 수 있습니다 ㅎ