219.md

# Building images with kaniko and GitLab CI/CD

> 原文：[https://docs.gitlab.com/ee/ci/docker/using_kaniko.html](https://docs.gitlab.com/ee/ci/docker/using_kaniko.html)

*   [Requirements](#requirements)
*   [Building a Docker image with kaniko](#building-a-docker-image-with-kaniko)
*   [Using a registry with a custom certificate](#using-a-registry-with-a-custom-certificate)
*   [Video walkthrough of a working example](#video-walkthrough-of-a-working-example)

# Building images with kaniko and GitLab CI/CD[](#building-images-with-kaniko-and-gitlab-cicd "Permalink")

在 GitLab 11.2 中[引入](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/45512) . 需要 GitLab Runner 11.2 及更高版本.

[kaniko](https://github.com/GoogleContainerTools/kaniko)是从容器或 Kubernetes 集群内部的 Dockerfile 构建容器映像的工具.

kaniko 使用[Docker-in-Docker 构建](using_docker_build.html#use-docker-in-docker-workflow-with-docker-executor)方法解决了两个问题：

*   Docker-in-Docker 需要[特权模式](https://s0docs0docker0com.icopy.site/engine/reference/run/)才能运行，这是一个重大的安全问题.
*   Docker-in-Docker 通常会导致性能下降，并且可能会非常慢.

## Requirements[](#requirements "Permalink")

为了在 GitLab 中使用 kaniko，需要使用以下执行程序之一的[GitLab Runner](https://docs.gitlab.com/runner/) ：

*   [Kubernetes](https://docs.gitlab.com/runner/executors/kubernetes.html).
*   [Docker](https://docs.gitlab.com/runner/executors/docker.html).
*   [Docker Machine](https://docs.gitlab.com/runner/executors/docker_machine.html).

## Building a Docker image with kaniko[](#building-a-docker-image-with-kaniko "Permalink")

使用 kaniko 和 GitLab CI / CD 构建映像时，应注意一些重要细节：

*   推荐使用 kaniko 调试映像（ `gcr.io/kaniko-project/executor:debug` ），因为它具有外壳，并且该映像与 GitLab CI / CD 一起使用时需要外壳.
*   入口点将需要被[覆盖](using_docker_images.html#overriding-the-entrypoint-of-an-image) ，否则构建脚本将无法运行.
*   需要使用所需容器注册表的身份验证信息创建一个 Docker `config.json`文件.

In the following example, kaniko is used to:

1.  构建一个 Docker 镜像
2.  然后将其推送到[GitLab 容器注册表](../../user/packages/container_registry/index.html) .

仅当按下标签时作业才会运行. 使用从 GitLab CI / CD 提供的[环境变量中](../variables/README.html#predefined-environment-variables)获取的所需 GitLab 容器注册表凭据在`/kaniko/.docker`下创建一个`config.json`文件.

在最后一步中，kaniko 使用项目根目录下的`Dockerfile` ，构建 Docker 映像并将其推送到项目的 Container Registry，同时使用 Git 标签对其进行标记：

```
build:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
  only:
    - tags 
```

## Using a registry with a custom certificate[](#using-a-registry-with-a-custom-certificate "Permalink")

尝试推送到使用由自定义 CA 签名的证书的 Docker 注册表时，您可能会遇到以下错误：

```
$ /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --no-push
INFO[0000] Downloading base image registry.gitlab.example.com/group/docker-image
error building image: getting stage builder for stage 0: Get https://registry.gitlab.example.com/v2/: x509: certificate signed by unknown authority 
```

可以通过将您的 CA 证书添加到 kaniko 证书存储区来解决：

```
 before_script:
    - mkdir -p /kaniko/.docker
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
    - |
      echo "-----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----" >> /kaniko/ssl/certs/additional-ca-cert-bundle.crt 
```

## Video walkthrough of a working example[](#video-walkthrough-of-a-working-example "Permalink")

[在 GitLab](https://www.youtube.com/watch?v=d96ybcELpFs)视频[上使用 Kaniko](https://www.youtube.com/watch?v=d96ybcELpFs)的[最低权限容器构建](https://www.youtube.com/watch?v=d96ybcELpFs)是对[Kaniko Docker Build](https://gitlab.com/guided-explorations/containers/kaniko-docker-build) Guided Exploration 项目管道的演练. 经过测试：

*   [GitLab.com Shared Runners](../../user/gitlab_com/index.html#shared-runners)
*   [The Kubernetes Runner executor](https://docs.gitlab.com/runner/executors/kubernetes.html)

可以将示例复制到您自己的组或实例中进行测试. 项目页面上提供了有关演示其他 GitLab CI 模式的更多详细信息.