Community Blog Quickly and Automatically Build Container Images Using Serverless Kubernetes and Kaniko

Quickly and Automatically Build Container Images Using Serverless Kubernetes and Kaniko

This article introduces a new practice of building simple images automatically and at a low cost using Alibaba Cloud's Serverless Kubernetes Container Service.

By Xian Wei


In the cloud native era, container images are the basic carrier for distribution of all applications. In addition to Docker Hub as a popular image repository, various cloud vendors also provide function-rich image repository services, such as Alibaba Cloud's Container Registry (ACR), and Google's Container Registry (GCR). Being able to build container images has become the basic practical ability that all developers must master.

Whether the developer chooses to use Docker locally to build basic images, or uses a CI/CD service (such as Jenkins), in essence, the process of "pull -> build -> push" must be followed to build, distribute, and synchronize images.

This article introduces a new practice of building simple images for developers. Based on Alibaba Cloud Serverless Kubernetes Container Service, container images can be built automatically and at a low cost, which helps developers understand how to use Serverless to run CI/CD and automate tasks.

Why Serverless Kubernetes?

Building a container image requires computing resources. When developers use Docker to pull/build/push locally, the computing resources are local development machines. If developers deploy Jenkins or GitLab Runner services in traditional Kubernetes clusters, the computing resources also need to run continuously. However, building a container image is basically a highly dynamic action, which is often triggered by timing or conditions. Therefore, maintaining a fixed computing resource pool for dynamic building operations is not cost effective.

Serverless Kubernetes is different from the traditional node-based k8s cluster. A Serverless cluster will only result in a charge when a pod is running. This means that users only need to pay when building images, and after the build ends, the billing stops. Therefore, the cost is significantly reduced compared with that of the traditional k8s cluster or ECS deployment.



In a Serverless Kubernetes cluster, pods do not have the privileged permission, and cannot access Docker daemon on the host. Therefore, they cannot use the Docker-in-Docker solution to build images. So, how can we build an image without relying on the Docker on the host in a Kubernetes cluster? Obviously, this is a common requirement, and the community also has a recommended solution: Kaniko.

Kaniko works similarly to the "docker build" command, but does not rely on Docker daemon. It resolves and builds each Dockerfile layer in the pod, which allows the pod to complete the pull/build/push of the image without the privileged permission.


A Practical Example: Regularly Synchronize Container Images

Let's use Serverless Kubernetes and Kaniko to implement a simple image building experiment, that is, to regularly synchronize images to the domestic ACR.

Step 1: Create a Serverless Kubernetes Cluster

Log on to the Container Service Console to create a Serverless cluster in 5s. (If it is a foreign source image repository, you can choose the US West region)


Step 2: Create a Secret, and Configure the ACR User Name and Password to Push the Image to ACR.

You can log on to CloudShell, and run the following command.

#docker login registry.cn-hangzhou.aliyuncs.com
#kubectl create secret generic regsecret --from-file=/root/.docker/config.json

Step 3: Create a Scheduled Task, CronJob

On the console, select a template to create the following scheduled task, to synchronize the busybox image to ACR hourly.

apiVersion: v1
kind: ConfigMap
  name: dockerfile-cm
  Dockerfile: |
    FROM busybox:latest
apiVersion: batch/v1beta1
kind: CronJob
  name: kaniko-builder
  schedule: "*/60 * * * *"
          - name: builder
            image: gcr.io/kaniko-project/executor:latest
            imagePullPolicy: Always
            - "--dockerfile=/configs/Dockerfile"
            - "--destination=registry.cn-hangzhou.aliyuncs.com/jovizhangwei/busybox:latest"
            - name: dockerfile
              readOnly: true
              mountPath: "/configs/"
            - name: secrets
              readOnly: true
              mountPath: "/root/.docker/"
          - name: dockerfile
              name: dockerfile-cm
          - name: secrets
              secretName: regsecret
          restartPolicy: OnFailure

After the job is executed, you can view ACR Image Repository to confirm that the image has been synchronized.

You can customize the template file as needed, such as modifying the image to be synchronized, and adding a build step. You can also set the resource limit of the pod (such as, VCPU 0.25/0.5/1) to complete the synchronization task at minimal computing cost.


From the example above, we can see that, based on the pay-as-you-go feature of Serverless Kubernetes, some scheduled and CI/CD tasks can be run at very low cost without maintaining a fixed computing resource pool. It is also applicable to other scenarios, such as stress testing, data computing, and workflow processing.


Happy Hacking!


  1. Deploy Jenkins in a serverless Kubernetes cluster and perform an application pipeline build
  2. Kaniko introduction
0 1 0
Share on

Alibaba Container Service

114 posts | 26 followers

You may also like


Alibaba Container Service

114 posts | 26 followers

Related Products