Kaniko: Push only: Allow Kaniko executor to push without building

Created on 29 Jun 2020 · 1Comment · Source: GoogleContainerTools/kaniko

Actual behavior
Currently there is no way to only push an image without a build step. I would want to separate the build and push steps so that the build stage, which runs code execution, does not have push credentials to a private container registry. If there is code execution and registry credentials present in the kaniko executor, the registry could be compromised if the executor and possibly the host system is compromised.

If however, there is no code execution taking place, it is safer to grant registry access to a kaniko executor.

Expected behavior
To have a flag in the executor which allows you to push only with some input image, e.g. a tar file produced by the tarPath argument of a previous kaniko executor job.

To Reproduce
NA

Additional Information

Triage Notes for the Maintainers

| Description | Yes/No |
|----------------|---------------|
| Please check if this a new feature you are proposing |

- [x]

|
| Please check if the build works in docker but not in kaniko |

- [NA]

|
| Please check if this error is seen when you use --cache flag |

- [x]

|
| Please check if your dockerfile is a multistage dockerfile |

- [x]

areci-cd ci-cd kinenhancement prioritp2

Source

matzhaugen

👍8

Most helpful comment

I'd like to see this feature as well for a staged build pipeline, where in betwen the build (that is not yet pushed except cached layers mabe) and the push stage I could use Trivy to check the build image for security issues. It's important to do this before pushing the final image and not after it has already been pushed. (see related question on how to do that https://stackoverflow.com/questions/62665625/how-to-perform-kaniko-docker-build-and-push-in-separate-gitlab-ci-stages )