From 8ed3051f1153893d6b4e425e20eb5f3f5f316841 Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Wed, 16 May 2018 16:30:00 -0700 Subject: [PATCH] Docs for kaniko in gVisor --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index a500866e48..e8c990c551 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ Please let us know if you have any feature requests or find any bugs! - [Development](#development) - [kaniko Build Contexts](#kaniko-build-contexts) - [Running kaniko in a Kubernetes cluster](#running-kaniko-in-a-kubernetes-cluster) + - [Running kaniko in gVisor](#running-kaniko-in-gvisor) - [Running kaniko in Google Container Builder](#running-kaniko-in-google-container-builder) - [Running kaniko locally](#running-kaniko-locally) - [Pushing to Different Registries](#pushing-to-different-registries) @@ -106,6 +107,21 @@ spec: This example pulls the build context from a GCS bucket. To use a local directory build context, you could consider using configMaps to mount in small build contexts. +### Running kaniko in gVisor + +Running kaniko in [gVisor](https://github.com/google/gvisor) provides an additional security boundary. +You will need to add the `--force` flag to run kaniko in gVisor, since currently there isn't a way to determine whether or not a container is running in gVisor. + +```shell +docker run --runtime=runsc -v $(pwd):/workspace -v ~/.config:/root/.config \ +gcr.io/kaniko-project/executor:latest \ +--dockerfile= --context=/workspace \ +--destination=gcr.io/my-repo/my-image --force +``` + +We pass in `--runtime=runsc` to use gVisor. +This example mounts the current directory to `/workspace` for the build context and the `~/.config` directory for GCR credentials. + ### Running kaniko in Google Container Builder To run kaniko in GCB, add it to your build config as a build step: