Using Buildkit with CloudBees CI

2 minute read
On this page

Buildkit is Docker builder that provides new functionality and improves the performance of your builds. Docker buildx provides a Kubernetes driver to build docker images in Kubernetes pods using Buildkit. In comparison to Kaniko, Buildkit does not require being run as root; it’s considered to be a more secure way to build Docker images in Kubernetes.

If Pod Security Admission (PSA) restricted is enabled, Buildkit will not function.

Pipeline example

This example illustrates running a Pipeline with Buildkit installed.

Requirements

To run this example, you need the following:

  • A Kubernetes cluster with an installation of CloudBees CI

  • Ability to run kubectl against your cluster

  • CloudBees CI account with permission to create the new pipeline

Steps

These are the high-level steps for this example:

  1. Install Buildkit in the cluster.

  2. Create the Pipeline.

  3. Run the Pipeline.

Install Buildkit in the cluster

To install Buildkit in the cluster, follow the instructions in the official documentation.

Kubernetes setup buildx
$ kubectl create namespace buildkit
$ docker buildx create \
  --bootstrap \
  --name=kube \
  --driver=kubernetes \
  --driver-opt=namespace=buildkit

Create the Pipeline

Grant the jenkins-agents service account permissions to use Buildkit, by creating this Role and RoleBinding in the buildkit namespace:

Role to grant access to the buildkit namespace
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: can-build
rules:
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - list
  - apiGroups:
      - ""
    resources:
      - pods/exec
    verbs:
      - create
RoleBinding to grant access to the buildkit namespace
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: agents-can-build
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: can-build
subjects:
  - kind: ServiceAccount
    name: jenkins-agents
    namespace: jenkins-agents-namespace (1)
1 The <jenkins-agents-namespace> is the namespace where agents run. The namespace value depends on your installation. Replace it with the right value from your CloudBees CI installation.

Run the pipeline

Run docker buildx build …​ in a pipeline as shown in the following example.

Pipeline example using docker buildx
podTemplate(yaml: <your-pod-definition>) { (1)
    node(POD_LABEL) {
        git ... (2)
        sh '''
        docker buildx create --name buildkit --driver=kubernetes --driver-opt=namespace=buildkit,rootless=true --use
        docker buildx build --progress plain -t local-test:1 .
        '''
    }
}
1 <your-pod-definition> should use a Docker image which has the Docker and buildx extensions.
2 Clone a repository with a Dockerfile in the root folder.