kaniko 命令

常用示例

说明

kaniko builds container images from Dockerfiles inside containers or Kubernetes clusters without requiring privileged access or a Docker daemon. It executes each Dockerfile command in userspace and snapshots the filesystem. The executor runs as a container image (gcr.io/kaniko-project/executor), making it ideal for CI/CD pipelines in Kubernetes where Docker-in-Docker is unavailable or undesirable for security reasons. Context sources include local directories (dir://), Git repositories (git://), Google Cloud Storage (gs://), Amazon S3 (s3://), and Azure Blob Storage. Authentication is handled via mounted credentials or environment variables. Layer caching with --cache significantly speeds up builds by reusing unchanged layers. Cached layers are stored in the registry specified by --cache-repo or derived from --destination. A debug image (gcr.io/kaniko-project/executor:debug) includes busybox for troubleshooting.

参数

--dockerfile _path_

Path to Dockerfile. Default: Dockerfile.

--context _uri_

Build context: dir://, git://, s3://, gs://, or local path.

--destination _registry/image:tag_

Registry to push image. Required unless --no-push.

--no-push

Build image but don't push to registry.

--tar-path _path_

Save image as tarball instead of pushing.

--cache

Enable layer caching.

--cache-repo _repository_

Repository for storing cached layers.

--cache-ttl _duration_

Cache expiration time.

--target _stage_

Build up to specified Dockerfile stage.

--build-arg _KEY=value_

Set build-time variable. Repeatable.

--ignore-var-run

Ignore /var/run when taking image snapshot. Default: true.

--ignore-path _path_

Ignore specified path when taking image snapshot. Repeatable.

--snapshot-mode _mode_

Snapshot mode: full or redo (default: redo).

--single-snapshot

Take one snapshot at end instead of per layer.

--reproducible

Strip timestamps for reproducible builds.

--registry-mirror _mirror_

Use registry mirror as pull-through cache.

--insecure

Push to insecure (HTTP) registry.

--skip-tls-verify

Skip TLS certificate verification.

--insecure-pull

Pull from insecure (HTTP) registry.

--skip-tls-verify-pull

Skip TLS certificate verification when pulling.

--kaniko-dir _path_

Kaniko working directory (default: /kaniko).

--image-fs-extract-retry _count_

Number of retries for extracting image filesystem. Default: 0.

--image-download-retry _count_

Number of retries for downloading remote image with exponential backoff. Default: 0.

--label _KEY=value_

Set image label metadata. Repeatable.