Build Docker Images Inside Kubernetes with Kaniko – No Daemon Required

Overview

Kaniko is an open‑source Google project that builds container images from a Dockerfile inside a container or a Kubernetes pod, without requiring root privileges or access to the Docker daemon on the host.

How Kaniko works

Read the Dockerfile.

Pull the base image defined by the FROM instruction.

Execute each Dockerfile instruction in isolation inside the container.

After each instruction, snapshot the user‑space filesystem.

Attach the snapshot as a new layer on top of the base image.

The final image is pushed to a registry specified by the --destination flag.

Prerequisites

A running Kubernetes cluster.

A Git repository that contains the Dockerfile and Kubernetes manifests.

A container registry (Docker Hub, GCR, etc.) where the built image will be stored.

Registry authentication secret

Create a docker-registry secret that Kaniko will mount at /kaniko/.docker. Replace the placeholders with your own values.

kubectl create secret docker-registry regcred \
  --docker-server=REGISTRY_SERVER \
  --docker-username=REGISTRY_USER \
  --docker-password=REGISTRY_PASSWORD \
  --docker-email=REGISTRY_EMAIL

Dockerfile example

FROM nginx
RUN echo 'This is version 3' > /usr/share/nginx/html/index.html

Kaniko Job manifest (build.yaml)

apiVersion: batch/v1
kind: Job
metadata:
  name: kaniko-build
spec:
  template:
    spec:
      containers:
      - name: kaniko
        image: gcr.io/kaniko-project/executor:latest
        args:
        - "--dockerfile=Dockerfile"
        - "--context=git://github.com/yourorg/yourrepo.git#refs/heads/master"
        - "--destination=yourregistry/yourimage:v3"
        volumeMounts:
        - name: kaniko-secret
          mountPath: "/kaniko/.docker"
      restartPolicy: Never
      volumes:
      - name: kaniko-secret
        secret:
          secretName: regcred
          items:
          - key: .dockerconfigjson
            path: config.json

Running the build

# Apply the Job
kubectl apply -f build.yaml

# Watch the pod
kubectl get pod -l job-name=kaniko-build

# Stream logs
kubectl logs -f $(kubectl get pod -l job-name=kaniko-build -o jsonpath="{.items[0].metadata.name}")

Deploying the built image

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: yourregistry/yourimage:v3
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  namespace: web
spec:
  selector:
    app: nginx
  ports:
  - port: 80
    targetPort: 80
  type: NodePort

Kaniko command‑line parameters (selected)

--dockerfile

: path to the Dockerfile (default Dockerfile). --context: build context – can be a local directory, a tar archive, or a Git repository URL. --destination: target image reference ( registry/repo:tag). --cache: enable caching of intermediate layers. --snapshotMode: method for filesystem snapshotting (e.g., full, redo).

Comparison with similar tools

Other container‑image builders that run without a Docker daemon include img and orca‑build . All three avoid privileged Docker daemon access, but they differ in security model and implementation details. Kaniko runs as a non‑root user inside a container but can perform root‑level operations within that isolated environment, whereas img builds entirely as a non‑root user and orca‑build uses runc with kernel namespaces.