Tekton Pipelines — Cloud-Native CI/CD Primitives for Kubernetes

Introduction

Tekton started at Google as Knative Build, became a standalone CNCF project and now powers pipelines in Jenkins X, OpenShift Pipelines, IBM Cloud and many internal platforms. It rejects the monolithic server model of classic CI and instead models every pipeline step as a Kubernetes-native resource executed by a lightweight controller.

What Tekton Does

• Defines reusable Task and Pipeline CRDs and schedules runs as Pods
• Runs each step in its own container so language and tooling choices are per-step
• Passes inputs and outputs through typed parameters, results and workspaces
• Supports triggers (EventListeners, Interceptors) for Git webhooks and Cloud Events
• Provides Tekton Chains for signed provenance and SLSA-compliant supply chain

Architecture Overview

The Tekton Pipelines controller reconciles Tekton CRDs. When you submit a PipelineRun, the controller creates a graph of TaskRuns; each TaskRun becomes a Pod whose containers run your steps in order. Workspaces (PVCs, ConfigMaps, Secrets) carry shared state between steps. Results are captured from /tekton/results files, and Tekton Chains can sign them and push the attestation to Sigstore or a registry.

Self-Hosting & Configuration

• Install Pipelines, Triggers, Dashboard and Chains independently via release manifests
• Use ConfigMap/feature-flags to enable alpha/beta features like enable-cel-in-whenexpressions
• Tune resources per step with stepTemplate and step-level resources
• Configure the default service account, affinity and node selectors in ConfigMap/config-defaults
• Use Tekton Hub or the Artifact Hub to pull reusable Tasks (git-clone, buildah, kaniko)

Key Features

• Fully declarative: every pipeline is YAML, fits GitOps workflows
• Isolated steps run in their own containers, eliminating plugin version hell
• Strong typing via Parameters, Results and Workspaces
• Event-driven triggers map Git webhooks to PipelineRuns with CEL filters
• Supply-chain security via Tekton Chains and SLSA attestations

Comparison with Similar Tools

• Argo Workflows — broader workflow engine; Tekton is purpose-built for CI/CD
• Jenkins — monolithic server with plugins; Tekton steps are containers, no JVM glue
• GitHub Actions / GitLab CI — hosted and tightly coupled to their platforms
• Drone / Woodpecker — simpler YAML pipelines; Tekton models every primitive as CRDs
• Buildkite / CircleCI — SaaS-first; Tekton runs entirely inside your cluster

FAQ

Q: Do I need Kubernetes to use Tekton? A: Yes. Tekton is Kubernetes-native — every Task is a Pod managed by the Tekton controller.

Q: Is there a UI? A: Tekton Dashboard provides a web UI for viewing PipelineRuns, logs and resources; the tkn CLI covers command-line workflows.

Q: How do I share credentials safely? A: Use Workspaces bound to Kubernetes Secrets, or Tekton Workspaces that reference a Vault-backed volume. Credentials never land in the YAML.

Q: Can I reuse Tasks across repos? A: Tekton Hub hosts reusable Tasks (git-clone, buildah, go-test). Use resolver: hub or resolver: bundles to pull them at runtime.

Sources

• https://github.com/tektoncd/pipeline
• https://tekton.dev/docs/