Most container images today are built using one of two primary approaches: Either by relying on privileged containers, or by employing a highly specialized method like Kaniko. While privileged builds are often used, they pose a well-known risk, making the build environment inherently insecure. Kaniko has presented its own set of challenges and its recent discontinuation by Google has led many teams to seek viable alternatives.
This situation naturally leads to the question: Why can't we just use any regular container build tool for unprivileged operations? The answer basically comes down to the complexities of "running containers within containers", a core technical challenge that has historically presented various roadblocks.
This talk will explore the current state of unprivileged container image builds. We'll delve into the underlying technical challenges that have historically constrained these efforts, and how continuous advancements over recent years are shaping what's possible. This evolution creates opportunities for more secure and efficient build pipelines.
We'll examine the different approaches available today, assessing their capabilities and limitations. You'll learn how these modern approaches enhance the security of your build pipeline, increase reliability by reducing reliance on elevated privileges, and simplify your overall build processes. By the end of this session, you'll have a clear overview of the landscape, enabling you to make informed decisions and adopt the right build solution for your environment, achieving stronger security and streamlined operations.