I'm running Jenkins on a managed Kubernetes cluster (AKS) and need to build Docker images as part of my CI/CD pipeline. I've heard that running Docker-in-Docker (DinD) can be a security risk and is often difficult to configure with rootless containers. What is the recommended "cloud-native" way to build and push images from a Jenkins agent running as a pod?
3 answers
If you are on AWS, you can use AWS CodeBuild as a remote agent to handle the Docker builds so you don't have to run DinD locally in EKS.
Avoid DinD if possible. The industry standard for building images inside Kubernetes is now Kaniko. Kaniko doesn't depend on a Docker daemon and executes each command within a userspace, which makes it much more secure for cloud environments. In your Jenkinsfile, you can define a container template for Kaniko and simply pass the build context and destination registry. If you must use Docker, look into "Docker-out-of-Docker" by mounting the host's /var/run/docker.sock into the agent pod, but be aware this gives the pod significant control over the host node.
Have you looked into using the "img" tool or Buildah as alternatives to Kaniko for your rootless container builds in the cloud?
I did look into Buildah, Joseph, but found the integration with Jenkins' Kubernetes plugin a bit more complex compared to Kaniko. Kaniko has a very straightforward executor image that works perfectly with Jenkins' volume mounts for secrets. We successfully implemented Kaniko last week, and it has solved our security team's concerns about privileged pods. We just had to ensure our ACR (Azure Container Registry) credentials were mounted as a secret volume in the pod template.
That's a clever way to offload the security risk to a managed service! It's a very viable alternative for teams strictly on AWS.