Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DCSF 19 Deploying Rootless buildkit on Kubernetes

105 views

Published on

DockerCon Open Source Summit: BuildKit
Akihiro Suda, NTT Corporation

Building images on Kubernetes is attractive for distributing workload across multiple nodes, typically in CI/CD pipeline. However, it had been considered dangerous due to the dependency on `securityContext.privileged`.

In this talk, Akihiro will show how to use Rootless BuildKit in Kubernetes, which can be executed as a non-root user without extra `securityContext` configuration.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DCSF 19 Deploying Rootless buildkit on Kubernetes

  1. 1. Deploying Rootless BuildKit on Kubernetes
  2. 2. About me ● ● ●
  3. 3. What is Rootless? ● ●
  4. 4. What is Rootless? ●
  5. 5. What is Rootless? https://tinyurl.com/dockercon2019-rootless
  6. 6. In-cluster build ● ●
  7. 7. In-cluster build ●
  8. 8. In-cluster build ● securityContext.privileged docker run --privileged docker:dind ● hostPath /var/run/docker.sock buildkitd.sock
  9. 9. myth 1: requires securityContext.privileged ● ● --oci-worker-no-process-sandbox ○ /proc
  10. 10. myth 1: requires securityContext.privileged RUN gcc Process sandbox
  11. 11. myth 1: requires securityContext.privileged --oci-worker-no-process-sandbox RUN gcc worker container can kill(2) the daemon Host is still protected Process sandbox
  12. 12. myth 1: requires securityContext.privileged ● securityContext.procMount Unmasked ○
  13. 13. myth 2: seccomp and AppArmor need to be disabled
  14. 14. myth 2: seccomp and AppArmor need to be disabled ● ● ○
  15. 15. myth 2: seccomp and AppArmor need to be disabled RUN gcc seccomp
  16. 16. myth 2: seccomp and AppArmor need to be disabled RUN gcc worker containers are still protected with seccompseccomp
  17. 17. Future work: gVisor integration? ● ● ●
  18. 18. Future work: gVisor integration? ● EINVAL ● ○ ○
  19. 19. Comparison: Kaniko ● ● ○ ●
  20. 20. myth 3: No OverlayFS support ● ○ ●
  21. 21. myth 3: No OverlayFS support ● /home/user/.local/share/buildkit ○ mkfs.xfs -m reflink=1 ○
  22. 22. kubectl run & buildctl docker buildx
  23. 23. Knative template is also available ● ●
  24. 24. Knative template is also available
  25. 25. If you don’t like daemon.. ● ● ○
  26. 26. Questions?

×