ScriptsApr 15, 2026·3 min read

Kaniko — Build Container Images in Kubernetes Without a Docker Daemon

Google's tool for building OCI container images from a Dockerfile inside a container or Kubernetes cluster — no privileged daemon required.

Script Depot
Script Depot · Community
TL;DR
Kaniko builds container images from Dockerfiles inside unprivileged containers, removing the need for a Docker daemon in CI/CD pipelines.
§01

What it is

Kaniko is a tool from Google for building OCI container images from a Dockerfile inside a container or Kubernetes cluster. Unlike Docker build, Kaniko does not require a privileged Docker daemon. It executes each Dockerfile command in userspace, produces a standard container image, and pushes it to a registry.

It is designed for CI/CD pipelines running in Kubernetes or other containerized environments where granting access to a Docker socket is a security risk.

§02

How it saves time or tokens

Running Docker-in-Docker (DinD) for CI builds requires privileged containers, which violate most Kubernetes security policies. Kaniko eliminates this requirement entirely. It runs as a regular container, reads the Dockerfile, and builds the image layer by layer. Layer caching to a remote registry means subsequent builds reuse unchanged layers, cutting build times significantly in pipelines that rebuild frequently.

§03

How to use

  1. Run a one-off build with Docker (for local testing).
docker run -v $PWD:/workspace \
  -v ~/.docker/config.json:/kaniko/.docker/config.json:ro \
  gcr.io/kaniko-project/executor:latest \
  --dockerfile=Dockerfile \
  --destination=ghcr.io/you/app:v1 \
  --context=dir:///workspace
  1. Use Kaniko in a Kubernetes Job.
apiVersion: batch/v1
kind: Job
metadata:
  name: kaniko-build
spec:
  template:
    spec:
      containers:
      - name: kaniko
        image: gcr.io/kaniko-project/executor:latest
        args:
        - '--dockerfile=Dockerfile'
        - '--context=git://github.com/you/app.git'
        - '--destination=ghcr.io/you/app:v1'
      restartPolicy: Never
  1. For GitLab CI, replace the Docker executor with the Kaniko image.
§04

Example

Enabling remote layer caching:

docker run -v $PWD:/workspace \
  gcr.io/kaniko-project/executor:latest \
  --dockerfile=Dockerfile \
  --destination=ghcr.io/you/app:v1 \
  --context=dir:///workspace \
  --cache=true \
  --cache-repo=ghcr.io/you/app/cache

The --cache-repo flag stores layer caches in a registry, so CI runners without local storage still benefit from caching.

§05

Related on TokRepo

§06

Common pitfalls

  • Kaniko does not support all Dockerfile instructions identically. Test complex multi-stage builds locally before deploying to CI.
  • Registry authentication must be configured via /kaniko/.docker/config.json. Missing or expired credentials cause silent push failures.
  • Build context must be accessible from inside the Kaniko container. For git contexts, ensure the repository is public or provide credentials.

Frequently Asked Questions

Why use Kaniko instead of Docker build?+

Docker build requires access to the Docker daemon, which runs as root. In Kubernetes and shared CI environments, granting daemon access is a security risk. Kaniko builds images without any daemon, running entirely in userspace inside a regular container.

Does Kaniko support multi-stage builds?+

Yes. Kaniko supports multi-stage Dockerfiles. Each stage is built sequentially, and intermediate stages are discarded just as with Docker build.

How does Kaniko caching work?+

Kaniko can cache layers to a remote container registry. On subsequent builds, it checks the cache repo for matching layers and skips rebuilding them. This is especially useful in CI where local disk caches are not available.

Can Kaniko build images locally without pushing to a registry?+

Yes. Use the `--no-push` flag to build without pushing, or use `--tarPath` to save the image as a tar file locally. This is useful for testing Dockerfiles before pushing.

Is Kaniko compatible with Buildkit?+

No. Kaniko and Buildkit are separate projects with different approaches. Kaniko runs without a daemon in userspace; Buildkit is Docker's next-generation builder that still requires a daemon or rootless setup. They are alternatives, not complements.

Citations (3)
Related on TokRepo
DevOps toolsSecurity toolsAutomation tools

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

NAPI-RS — Build Node.js Native Addons in Rust

Write high-performance Node.js native modules in Rust with automatic TypeScript type generation and cross-platform prebuilt binaries.

Script Depot

Mamba — Fast Cross-Platform Package Manager

A drop-in conda replacement written in C++ that resolves environments in seconds instead of minutes.

Script Depot

Plasmo — The Browser Extension Framework

Build, test, and publish browser extensions for Chrome, Firefox, and Edge using React or Vue with hot-reload and automatic manifest generation.

Script Depot
Home🔍Search👤Me