Buildkit is Docker builder that provides new functionality and improves the performance of your builds. Docker buildx provides a Kubernetes driver to build docker images in Kubernetes pods using Buildkit. In comparison to Kaniko, Buildkit does not require being run as root; it’s considered to be a more secure way to build Docker images in Kubernetes.
If Pod Security Admission (PSA) restricted is enabled, Buildkit will not function.
|
Pipeline example
This example illustrates running a Pipeline with Buildkit installed.
Requirements
To run this example, you need the following:
-
A Kubernetes cluster with an installation of CloudBees CI
-
Ability to run
kubectl
against your cluster -
CloudBees CI account with permission to create the new pipeline
Additional configuration is needed to run multi-architecture builds. That is not covered in this article. Refer to Building multi-platform images. |
Steps
These are the high-level steps for this example:
-
Install Buildkit in the cluster.
-
Create the Pipeline.
-
Run the Pipeline.
Install Buildkit in the cluster
To install Buildkit in the cluster, follow the instructions in the official documentation.
$ kubectl create namespace buildkit
$ docker buildx create \
--bootstrap \
--name=kube \
--driver=kubernetes \
--driver-opt=namespace=buildkit
Create the Pipeline
Grant the jenkins-agents
service account permissions to use Buildkit, by creating this Role
and RoleBinding
in the buildkit
namespace:
Role
to grant access to the buildkit namespacekind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: can-build
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
RoleBinding
to grant access to the buildkit namespacekind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: agents-can-build
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: can-build
subjects:
- kind: ServiceAccount
name: jenkins-agents
namespace: jenkins-agents-namespace (1)
1 | The <jenkins-agents-namespace> is the namespace where agents run. The namespace value depends on your installation. Replace it with the right value from your CloudBees CI installation. |
Run the pipeline
Run docker buildx build …
in a pipeline as shown in the following example.
podTemplate(yaml: <your-pod-definition>) { (1)
node(POD_LABEL) {
git ... (2)
sh '''
docker buildx create --name buildkit --driver=kubernetes --driver-opt=namespace=buildkit,rootless=true --use
docker buildx build --progress plain -t local-test:1 .
'''
}
}
1 | <your-pod-definition> should use a Docker image which has the Docker and buildx extensions. |
2 | Clone a repository with a Dockerfile in the root folder. |