kaniko
builds container images from Dockerfiles inside containers or Kubernetes
TLDR
SYNOPSIS
/kaniko/executor [options]
DESCRIPTION
kaniko builds container images from Dockerfiles inside containers or Kubernetes clusters without requiring privileged access or a Docker daemon. It executes each Dockerfile command in userspace and snapshots the filesystem.The executor runs as a container image (gcr.io/kaniko-project/executor), making it ideal for CI/CD pipelines in Kubernetes where Docker-in-Docker is unavailable or undesirable for security reasons.Context sources include local directories (dir://), Git repositories (git://), Google Cloud Storage (gs://), Amazon S3 (s3://), and Azure Blob Storage. Authentication is handled via mounted credentials or environment variables.Layer caching with --cache significantly speeds up builds by reusing unchanged layers. Cached layers are stored in the registry specified by --cache-repo or derived from --destination.A debug image (gcr.io/kaniko-project/executor:debug) includes busybox for troubleshooting.
PARAMETERS
--dockerfile path
Path to Dockerfile. Default: Dockerfile.--context uri
Build context: dir://, git://, s3://, gs://, or local path.--destination registry/image:tag
Registry to push image. Required unless --no-push.--no-push
Build image but don't push to registry.--tar-path path
Save image as tarball instead of pushing.--cache
Enable layer caching.--cache-repo repository
Repository for storing cached layers.--cache-ttl duration
Cache expiration time.--target stage
Build up to specified Dockerfile stage.--build-arg KEY=value
Set build-time variable. Repeatable.--ignore-var-run
Ignore /var/run when taking image snapshot. Default: true.--ignore-path path
Ignore specified path when taking image snapshot. Repeatable.--snapshot-mode mode
Snapshot mode: full or redo (default: redo).--single-snapshot
Take one snapshot at end instead of per layer.--reproducible
Strip timestamps for reproducible builds.--registry-mirror mirror
Use registry mirror as pull-through cache.--insecure
Push to insecure (HTTP) registry.--skip-tls-verify
Skip TLS certificate verification.--insecure-pull
Pull from insecure (HTTP) registry.--skip-tls-verify-pull
Skip TLS certificate verification when pulling.--kaniko-dir path
Kaniko working directory (default: /kaniko).--image-fs-extract-retry count
Number of retries for extracting image filesystem. Default: 0.--image-download-retry count
Number of retries for downloading remote image with exponential backoff. Default: 0.--label KEY=value
Set image label metadata. Repeatable.--verbosity level
Log level: panic, fatal, error, warn, info, debug, trace.
CAVEATS
Kaniko runs inside containers and is not meant for direct host execution. Some Dockerfile features may behave differently than with Docker daemon. The redo snapshot mode may miss metadata-only changes; use full mode if needed. The --reproducible flag takes a single snapshot at the end of the build, so only one layer is appended to the base image.
HISTORY
Kaniko was developed by Google and released in 2018 as part of Google Container Tools. It was created to enable secure container builds in Kubernetes environments where running Docker daemon is impractical or forbidden. The project is maintained by the open-source community and widely used in cloud-native CI/CD pipelines.
