Cloud Technology

How to handle Docker-in-Docker builds in Jenkins running on a Kubernetes cloud cluster?

WI Asked by William Clark · 20-09-2024
0 upvotes 15,372 views 0 comments
The question

I'm running Jenkins on a managed Kubernetes cluster (AKS) and need to build Docker images as part of my CI/CD pipeline. I've heard that running Docker-in-Docker (DinD) can be a security risk and is often difficult to configure with rootless containers. What is the recommended "cloud-native" way to build and push images from a Jenkins agent running as a pod?

3 answers

0
DO
Answered on 21-09-2024

If you are on AWS, you can use AWS CodeBuild as a remote agent to handle the Docker builds so you don't have to run DinD locally in EKS.

MA 23-09-2024

That's a clever way to offload the security risk to a managed service! It's a very viable alternative for teams strictly on AWS.

0
MA
Answered on 22-09-2024

Avoid DinD if possible. The industry standard for building images inside Kubernetes is now Kaniko. Kaniko doesn't depend on a Docker daemon and executes each command within a userspace, which makes it much more secure for cloud environments. In your Jenkinsfile, you can define a container template for Kaniko and simply pass the build context and destination registry. If you must use Docker, look into "Docker-out-of-Docker" by mounting the host's /var/run/docker.sock into the agent pod, but be aware this gives the pod significant control over the host node.

0
JO
Answered on 24-09-2024

Have you looked into using the "img" tool or Buildah as alternatives to Kaniko for your rootless container builds in the cloud?

WI 26-09-2024

I did look into Buildah, Joseph, but found the integration with Jenkins' Kubernetes plugin a bit more complex compared to Kaniko. Kaniko has a very straightforward executor image that works perfectly with Jenkins' volume mounts for secrets. We successfully implemented Kaniko last week, and it has solved our security team's concerns about privileged pods. We just had to ensure our ACR (Azure Container Registry) credentials were mounted as a secret volume in the pod template.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session