kaniko是一个容器镜像构建工具
本文主要讲述从github获取Dockerfile,构建镜像,最终上传仓库的过程。
本文使用的task版本为:
https://github.com/tektoncd/catalog/tree/main/task/kaniko/0.6
https://github.com/tektoncd/catalog/tree/main/task/git-clone/0.8
准备工作
-
安装tekton,dashboard环境
具体步骤请按照这篇教程操作:https://tekton.dev/docs/dashboard/tutorial/
- 安装内置task
kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/git-clone/0.8/git-clone.yaml kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/kaniko/0.6/kaniko.yaml
设置workspace
为了能在pipeline里有一个储存中间结果的地方,供前后不同的task使用,需要创建一个workspace。
而workspace后端实际上关联的是个pvc。
创建workspace的pvc
# https://raw.githubusercontent.com/tektoncd/catalog/main/task/kaniko/0.6/tests/resources.yaml
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kaniko-source-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
PipelineRun
进入正式部分
# https://raw.githubusercontent.com/tektoncd/catalog/main/task/kaniko/0.6/tests/run.yaml
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: kaniko-test-pipeline-run
spec:
pipelineRef:
name: kaniko-test-pipeline
params:
- name: image
value: localhost:5000/kaniko-nocode
workspaces:
- name: shared-workspace
persistentvolumeclaim:
claimName: kaniko-source-pvc
这里有两点注意:
- image是最后推送到仓库的url
- workspaces设置绑定了pvc
Pipeline
限于篇幅只介绍部分配置文件
完整请参考https://raw.githubusercontent.com/tektoncd/catalog/main/task/kaniko/0.6/tests/run.yaml
git-clone
[1] 第一处修改是因为git-clone 0.8开始有重大改变,变成了nonroot拉取代码。
Note : The
git-clone
Task is run as nonroot. The files cloned on to the
output
workspace will end up owned by user 65532.
所以要做一定修改添加
securityContext
[2] 第二处修改用于上传镜像之集群内部的registry
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
@@ -81,9 +81,12 @@
spec:
pipelineRef:
name: kaniko-test-pipeline
+ podTemplate: [1]
+ securityContext:
+ fsGroup: 65532
params:
- name: image
- value: localhost:5000/kaniko-nocode [2]
+ value: docker-registry:5000/kaniko-nocode
workspaces:
- name: shared-workspace
persistentvolumeclaim:
完整信息请查看https://github.com/tektoncd/catalog/tree/main/task/git-clone/0.8
kaniko
如果本地registry只支持http方式,需要设置参数
--insecure
- name: kaniko
taskRef:
name: kaniko
runAfter:
- fetch-repository
workspaces:
- name: source
workspace: shared-workspace
params:
- name: IMAGE
value: $(params.image)
- name: EXTRA_ARGS
value:
- --skip-tls-verify
- --insecure
测试运行
部署yaml
# kubectl apply -f run.yaml
pipeline.tekton.dev/kaniko-test-pipeline created
pipelinerun.tekton.dev/kaniko-test-pipeline-run created
连通内部docker-registry
查看registry里是否成功上传镜像,这里可以看到
kaniko-nocode
已经成功上传
# curl -X GET http://localhost:5000/v2/_catalog
{"repositories":["kaniko-nocode","nginx"]}
支持docker hub仓库
完成了简单内部无密码,无tls仓库上传后。正式仓库肯定是要https,要账户,要密码的。
接下来以docker hub为例
转存docker凭据
-
手动登录产生docker login
/root/.docker/config.json
- 将
转化成config.json
secret
- 在
里增加一个PipelineRun
的dockerconfig-ws
workspace
apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: @@ -81,10 +84,16 @@ workspaces: - name: shared-workspace persistentvolumeclaim: claimName: kaniko-source-pvc + - name: dockerconfig-ws + secret: + secretName: dockerhub-secret
- 修改镜像上传的URL [1]
apiVersion: tekton.dev/v1beta1 kind: PipelineRun metadata: @@ -81,9 +81,12 @@ params: - name: image - value: docker-registry:5000/kaniko-nocode + value: docker.io/massivezh/kaniko-nocode [1]
- 在
的一开始Pipeline
声明新增的workspaces
dockerconfig-ws
apiVersion: tekton.dev/v1beta1 kind: Pipeline metadata: name: kaniko-test-pipeline spec: workspaces: - name: shared-workspace - name: dockerconfig-ws optional: true
- 在
里绑定kaniko
配置项到dockerconfig
这个dockerconfig-ws
workspace
- name: kaniko taskRef: name: kaniko runAfter: - fetch-repository workspaces: - name: source workspace: shared-workspace - name: dockerconfig workspace: dockerconfig-ws
关于dockerconfig的具体用法参考文档https://github.com/tektoncd/catalog/tree/main/task/kaniko/0.6
具体实现看这里https://github.com/tektoncd/catalog/blob/main/task/kaniko/0.6/kaniko.yaml
可以看到是mountPath到文件的,关于workspace支持的其他一些类型,请参考workspaces文档
workspaces: - name: source description: Holds the context and Dockerfile - name: dockerconfig description: Includes a docker `config.json` optional: true mountPath: /kaniko/.docker
- 开启tls验证,去掉
--skip-tls-verify
- name: EXTRA_ARGS value: - --skip-tls-verify
验证结果
最后我们通过dashboard看下运行结果
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIiclRnblN2XjlGcjcWZwpmL0gjN3gzMxQ2NjdjNlFmY4QGOxQTMwEWMxkDOhVGZiN2Lc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.jpeg)
登录docker hub可以看到镜像已经成功上传