kaniko

Build and push image to registry

$ /kaniko/executor --dockerfile=[Dockerfile] --context=[dir://workspace] --destination=[gcr.io/project/image:tag]

$ /kaniko/executor --dockerfile=[Dockerfile] --context=[.] --no-push

$ /kaniko/executor --dockerfile=[Dockerfile] --destination=[registry/image] --cache=true

$ /kaniko/executor --dockerfile=[Dockerfile] --context=[.] --tar-path=[image.tar] --no-push

$ /kaniko/executor --dockerfile=[Dockerfile] --destination=[registry/image] --target=[build-stage]

$ /kaniko/executor --dockerfile=[Dockerfile] --destination=[registry/image] --build-arg=[VERSION=1.0]

/kaniko/executor [options]

kaniko builds container images from Dockerfiles inside containers or Kubernetes clusters without requiring privileged access or a Docker daemon. It executes each Dockerfile command in userspace and snapshots the filesystem.
The executor runs as a container image (gcr.io/kaniko-project/executor), making it ideal for CI/CD pipelines in Kubernetes where Docker-in-Docker is unavailable or undesirable for security reasons.
Context sources include local directories (dir://), Git repositories (git://), Google Cloud Storage (gs://), Amazon S3 (s3://), and Azure Blob Storage. Authentication is handled via mounted credentials or environment variables.
Layer caching with --cache significantly speeds up builds by reusing unchanged layers. Cached layers are stored in the registry specified by --cache-repo or derived from --destination.
A debug image (gcr.io/kaniko-project/executor:debug) includes busybox for troubleshooting.

--dockerfile path

Path to Dockerfile. Default: Dockerfile.

Build context: dir://, git://, s3://, gs://, or local path.

Registry to push image. Required unless --no-push.

Build image but don't push to registry.

Save image as tarball instead of pushing.

Enable layer caching.

Repository for storing cached layers.

Cache expiration time.

Build up to specified Dockerfile stage.

Set build-time variable. Repeatable.

Snapshot mode: full or time (default).

Take one snapshot at end instead of per layer.

Strip timestamps for reproducible builds.

Use registry mirror as pull-through cache.

Push to insecure (HTTP) registry.

Skip TLS certificate verification.

Kaniko working directory.

Log level: panic, fatal, error, warn, info, debug, trace.

Kaniko runs inside containers and is not meant for direct host execution. Some Dockerfile features may behave differently than with Docker daemon. The time snapshot mode may miss metadata-only changes; use full mode if needed. Build arguments with spaces require special IFS handling.

Kaniko was developed by Google and released in 2018 as part of Google Container Tools. It was created to enable secure container builds in Kubernetes environments where running Docker daemon is impractical or forbidden. The project is maintained by the open-source community and widely used in cloud-native CI/CD pipelines.

docker(1), buildah(1), podman(1)