ko — Build and Deploy Go Containers Without Docker

Introduction

ko builds container images for Go applications without requiring Docker, a Dockerfile, or any container runtime on the build machine. It compiles the Go binary using the standard Go toolchain, layers it onto a minimal base image, and pushes the result directly to a container registry. This makes it fast, reproducible, and ideal for Go-centric Kubernetes workflows.

What ko Does

• Builds Go binaries and packages them into OCI container images
• Pushes images directly to any container registry without a local Docker daemon
• Resolves image references in Kubernetes YAML files and replaces them with built images
• Produces multi-architecture images (amd64, arm64) with a single command
• Uses distroless or scratch base images by default for minimal attack surface

Architecture Overview

ko invokes go build to compile the application, then constructs an OCI image by layering the binary on top of a base image. It uses the Go module path as the image reference, which it rewrites in Kubernetes manifests. Images are built in-process without spawning external tools, making builds fast. The image layers are pushed directly to the registry via the go-containerregistry library.

Self-Hosting & Configuration

• Install via go install, Homebrew, or download a release binary
• Set KO_DOCKER_REPO to your target registry (e.g., ghcr.io/org)
• Configure base images and build options in .ko.yaml at the project root
• Use ko build for single images or ko apply -f k8s/ to deploy to Kubernetes
• Enable multi-platform builds with --platform=linux/amd64,linux/arm64

Key Features

• No Docker or Dockerfile required — builds happen entirely in user space
• Sub-second incremental builds by only re-layering the changed Go binary
• SBOM generation built in for supply chain security compliance
• Kubernetes-native workflow with ko apply replacing image references in manifests
• Hermetic builds using the Go toolchain ensure reproducibility

Comparison with Similar Tools

• Docker Build — requires a Dockerfile and daemon; ko needs neither for Go apps
• Buildah — general-purpose OCI builder; ko is purpose-built for Go and much simpler
• Kaniko — builds Dockerfiles in Kubernetes; ko skips the Dockerfile entirely
• Jib (Google) — similar concept for Java/Maven/Gradle; ko does the same for Go
• GoReleaser — builds binaries and releases; ko focuses on container images specifically

FAQ

Q: Does ko support non-Go applications? A: No. ko is designed exclusively for Go applications. For other languages, use tools like Docker or Buildah.

Q: Can I customize the base image? A: Yes. Set defaultBaseImage in .ko.yaml or use the --base-image flag.

Q: Does ko work with private registries? A: Yes. ko uses standard Docker credential helpers, so any registry you can docker push to will work.

Q: How does ko handle Kubernetes deployments? A: ko apply reads YAML files, finds image references matching Go import paths, builds them, pushes to the registry, and applies the updated manifests to the cluster.

Sources

• https://github.com/ko-build/ko
• https://ko.build/