Reducing build time on OpenShift using Kaniko

Øyvind Ødegård
Oct 20, 2018 · 3 min read

Not only do you need a working CI/deployment pipeline to have a quick and smooth way to get your code into production, you also need to make sure building images does not slow you down.

OpenShift comes with support for building images using OpenShift Builds, which might work well for you. But I have experienced slow builds (both start-up time and actual build time), unpredictable behaviour and it requires you to install MiniShift if you want build your image locally.

So what do you do? You look at options such as Buildah, orca or Bazel, but they all have drawbacks, like running with root, not being further developed or require complex configuration. Note that Buildah will be supported in OpenShift in the future — whenever that is.

But for now, having something that would make building container images easy and fast would be great! Hint: Try Kaniko.

Even if Kaniko is not optimal in your case, it may be worth trying out, as getting started with it is pretty straight forward and does not require a lot of time. Plus, the documentation is good and the usage is widespread on Kubernetes. However, OpenShift usage is not very widespead yet, although it’s very similar to running it on Kubernetes.

Getting your hands dirty

First, you need to start a build Pod either from Jenkins or somewhere else.

The Pod definition should look something like this:

First you have to specify the dockerfile, build context (e.g. the directory you want to build from) and the destination to push the image. In this example the first two are located using a PersistentVolumeClaim.

The base Dockerfile should contain as few layers as possible because the layers will be extracted in turn, and more layers means longer build time!

Another PersistentVolumeClaim is used to hold the Docker config, here called docker-config. <auth> should be replaced with a base64 encoded string of username:password, or if the registry is an OpenShift registry, a base64 encoded service account token with access to the specified registry project.

What is important to note, is that you have to specify a with the value . Also make sure you have a ServiceAccount with SCC (Security Context Constraint) anyuid.

Build and publish your image

Now that you set everything up, you are ready to test it out. Start the Kaniko pod as follows.

Check the output

If successful, the pod should be marked as completed ✓.

Congratulations! Your image containing your app should be published to the registry, hopefully much faster than using OpenShift Builds.

Developers Writing

Developers may not need to blog; but here your words are…

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store