Skip to content

Files

Latest commit

AkihiroSudaAkihiroSuda
rootless: guide for Bottlerocket OS (`sysctl -w user.max_user_namespa…
Mar 9, 2023
c67176a · Mar 9, 2023

History

History
This branch is 323 commits behind moby/buildkit:master.

kubernetes

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
consistenthash
consistenthash
Mar 9, 2022
README.md
README.md
Sep 9, 2022
create-certs.sh
create-certs.sh
Jan 18, 2023
deployment+service.privileged.yaml
deployment+service.privileged.yaml
Nov 22, 2020
deployment+service.rootless.yaml
deployment+service.rootless.yaml
Sep 9, 2022
job.privileged.yaml
job.privileged.yaml
Nov 22, 2020
job.rootless.yaml
job.rootless.yaml
Sep 9, 2022
pod.privileged.yaml
pod.privileged.yaml
Nov 22, 2020
pod.rootless.yaml
pod.rootless.yaml
Sep 9, 2022
statefulset.privileged.yaml
statefulset.privileged.yaml
Nov 22, 2020
statefulset.rootless.yaml
statefulset.rootless.yaml
Sep 9, 2022
sysctl-userns.privileged.yaml
sysctl-userns.privileged.yaml
Mar 9, 2023

README.md

Kubernetes manifests for BuildKit

This directory contains Kubernetes manifests for Pod, Deployment (with Service), StatefulSet, and Job.

  • Pod: good for quick-start
  • Deployment + Service: good for random load balancing with registry-side cache
  • StateFulset: good for client-side load balancing, without registry-side cache
  • Job: good if you don't want to have daemon pods

Using Rootless mode (*.rootless.yaml) is recommended because Rootless mode image is executed as non-root user (UID 1000) and doesn't need securityContext.privileged. See ../../docs/rootless.md.

See also "Building Images Efficiently And Securely On Kubernetes With BuildKit" (KubeCon EU 2019).

Pod

$ kubectl apply -f pod.rootless.yaml
$ buildctl \
  --addr kube-pod://buildkitd \
  build --frontend dockerfile.v0 --local context=/path/to/dir --local dockerfile=/path/to/dir

If rootless mode doesn't work, try pod.privileged.yaml.

⚠️ kube-pod:// connection helper requires Kubernetes role that can access pods/exec resources. If pods/exec is not accessible, use Service instead (See below).

Deployment + Service

Setting up mTLS is highly recommended.

./create-certs.sh SAN [SAN...] can be used for creating certificates.

$ ./create-certs.sh 127.0.0.1

The daemon certificates is created as Secret manifest named buildkit-daemon-certs.

$ kubectl apply -f .certs/buildkit-daemon-certs.yaml

Apply the Deployment and Service manifest:

$ kubectl apply -f deployment+service.rootless.yaml
$ kubectl scale --replicas=10 deployment/buildkitd

Run buildctl with TLS client certificates:

$ kubectl port-forward service/buildkitd 1234
$ buildctl \
  --addr tcp://127.0.0.1:1234 \
  --tlscacert .certs/client/ca.pem \
  --tlscert .certs/client/cert.pem \
  --tlskey .certs/client/key.pem \
  build --frontend dockerfile.v0 --local context=/path/to/dir --local dockerfile=/path/to/dir

StatefulSet

StatefulSet is useful for consistent hash mode.

$ kubectl apply -f statefulset.rootless.yaml
$ kubectl scale --replicas=10 statefulset/buildkitd
$ buildctl \
  --addr kube-pod://buildkitd-4 \
  build --frontend dockerfile.v0 --local context=/path/to/dir --local dockerfile=/path/to/dir

See ./consistenthash for how to use consistent hashing.

Job

$ kubectl apply -f job.rootless.yaml

To push the image to the registry, you also need to mount ~/.docker/config.json and set $DOCKER_CONFIG to /path/to/.docker directory.