Building container images on your cluster with Knative Build

Transcript

1. Building container images on your cluster with Knative Build Gareth

   Rushgrove

2. @garethr Docker

3. This talk - Why build on your cluster? - The

   power of Custom Resources - Knative Build - Higher-level interfaces - The future What will we cover in this session

4. Why build on your cluster?

5. CI systems are production too A compromise of your build

   infrastructure is BAD

6. Why maintain separate build machines? Less variation makes for lower

   operations overhead

7. Build is a scheduling problem And Kubernetes is a pretty

   handy scheduler

8. The power of Custom Resources

9. None

10. The importance of extensions - Features that not everyone needs

    can still run on Kubernetes - Not everything needs to be in the core API - Adoption of extensions will help Kubernetes stand the test of time Solving specific problems as well as general ones

11. Knative Build

12. Knative Build is a CRD which adds primitives to Kubernetes

    for modelling the software build process
13. None

14. Installing Knative Build $ kubectl apply -f https://storage.googleapis.com/knative-releases/build/latest/release.yaml namespace "knative-build"

    created clusterrole.rbac.authorization.k8s.io "knative-build-admin" created serviceaccount "build-controller" created clusterrolebinding.rbac.authorization.k8s.io "build-controller-admin" created customresourcedefinition.apiextensions.k8s.io "builds.build.knative.dev" created customresourcedefinition.apiextensions.k8s.io "buildtemplates.build.knative.dev" created customresourcedefinition.apiextensions.k8s.io "clusterbuildtemplates.build.knative.dev" created customresourcedefinition.apiextensions.k8s.io "images.caching.internal.knative.dev" created service "build-controller" created service "build-webhook" created configmap "config-logging" created deployment.apps "build-controller" created deployment.apps "build-webhook" created

15. What did we just install? $ kubectl get pods --namespace

    knative-build NAME READY STATUS RESTARTS AGE pod/build-controller-5bf486fb95-dm446 1/1 Running 0 2m pod/build-webhook-7b8f64b77c-k7k5j 1/1 Running 0 2m NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/build-controller ClusterIP 10.96.253.190 <none> 9090/TCP 2m service/build-webhook ClusterIP 10.105.50.131 <none> 443/TCP 2m NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE deployment.apps/build-controller 1 1 1 1 2m deployment.apps/build-webhook 1 1 1 1 2m NAME DESIRED CURRENT READY AGE replicaset.apps/build-controller-5bf486fb95 1 1 1 2m replicaset.apps/build-webhook-7b8f64b77c 1 1 1 2m

16. What makes up Knative Build - A Build can include

    multiple steps where each step specifies a Builder. - A Builder is a type of container image that you create to accomplish any task, whether that's a single step in a process, or the whole process itself. - A BuildTemplate can be used to defined reusable templates. - Authenticate with ServiceAccount using Kubernetes Secrets. What are the new API primitives?

17. Warning Knative Build is for tool builders

18. Hello Build apiVersion: build.knative.dev/v1alpha1 kind: Build metadata: name: date spec:

    steps: - name: date image: debian:stable-slim args: ['/bin/date'] Thanks @sebgoa

19. Running the build $ kubectl apply -f date.yaml build.build.knative.dev "date"

    created $ kubectl get build NAME AGE date 9s $ kubectl get pods NAME READY STATUS RESTARTS AGE date-pod-c9b010 0/1 Init:1/2 0 41s $ kubectl logs date-pod-c9b010 Build successful
20. None

21. Existing build templates - Bazel - Buildah - Buildkit -

    Buildpacks - Jib - Kaniko Mainly generic build tool templates, but lots of potential Imagine higher-level templates for...

22. Installing build templates $ kubectl apply -f https://raw.githubusercontent.com/knative/build-templates/master/kaniko/kaniko.yaml buildtemplate.build.knative.dev "kaniko"

    created $ kubectl get buildtemplates NAME AGE kaniko 2m

23. Parameters apiVersion: build.knative.dev/v1alpha1 kind: BuildTemplate metadata: name: kaniko spec: parameters:

    - name: IMAGE description: The name of the image to push - name: DOCKERFILE description: Path to the Dockerfile to build. default: /workspace/Dockerfile steps: - name: build-and-push image: gcr.io/kaniko-project/executor args: - --dockerfile=${DOCKERFILE} - --destination=${IMAGE}

24. Steps apiVersion: build.knative.dev/v1alpha1 kind: BuildTemplate metadata: name: kaniko spec: parameters:

    - name: IMAGE description: The name of the image to push - name: DOCKERFILE description: Path to the Dockerfile to build. default: /workspace/Dockerfile steps: - name: build-and-push image: gcr.io/kaniko-project/executor args: - --dockerfile=${DOCKERFILE} - --destination=${IMAGE}

25. Describing a build apiVersion: build.knative.dev/v1alpha1 kind: Build metadata: name: kubeval-build

    spec: source: git: url: https://github.com/garethr/kubeval.git revision: master template: name: kaniko arguments: - name: IMAGE value: garethr/kubeval

26. Running a build $ kubectl apply -f kubeval.yaml build.build.knative.dev "kubeval-build"

    created $ kubectl get build kubeval-build -o yaml -w # grab the pod identifier $ kubectl logs -f kubeval-build-pod-8fd6e4 -c build-step-build-and-push INFO[0000] Downloading base image golang:1.8-alpine 2018/12/09 16:50:14 No matching credentials were found, falling back on anonymous INFO[0002] Executing 0 build triggers INFO[0002] Unpacking rootfs as cmd RUN apk --no-cache add make git requires it. INFO[0137] Taking snapshot of full filesystem... INFO[0138] Skipping paths under /builder/home, as it is a whitelisted directory INFO[0138] Skipping paths under /dev, as it is a whitelisted directory INFO[0138] Skipping paths under /kaniko, as it is a whitelisted directory INFO[0138] Skipping paths under /proc, as it is a whitelisted directory INFO[0138] Skipping paths under /sys, as it is a whitelisted directory INFO[0138] Skipping paths under /var/run, as it is a whitelisted directory

27. Higher-level interfaces

28. Remember Knative Build is for tool builders

29. The Kubernetes community is an interesting mix of systems engineers

    and end users This is both a strength and a weakness

30. If Knative is for tool builders, what about end users?

    The pros and cons of low-level APIs

31. Experimenting with template UI $ knt inspect kaniko kaniko https://raw.githubusercontent.com/knative/build-templates/master/kaniko/kaniko.yaml

    Parameters (2) Description Default ---------------- -------------------------------- --------------------- IMAGE The name of the image to push DOCKERFILE Path to the Dockerfile to build. /workspace/Dockerfile Steps (1) Image Command Args -------------- ------------------------------ --------- -------------------------- build-and-push gcr.io/kaniko-project/executor --dockerfile=${DOCKERFILE} --destination=${IMAGE}
32. None
33. None

34. Examples with TriggerMesh tm $ tm deploy build kubeval --source

    https://github.com/garethr/kubeval.git \ --buildtemplate docker --args IMAGE=garethr/kubeval $ tm get build kubeval "stepStates": [ { "terminated": { "exitCode": 0, "reason": "Completed", "startedAt": "2018-12-12T01:42:48Z", "finishedAt": "2018-12-12T01:46:41Z", "containerID": "docker://45913da527d4ee1160d9f0cce0119ec4ddcd920470a086beae7b4a6170f850bb" } } ], "stepsCompleted": [ "build-step-build" ],
35. None

36. Dockerfile to Knative Build FROM test-base AS Test RUN pytest

    --black FROM test-base AS Check RUN safety check FROM app AS Security ARG MICROSCANNER RUN wget -O /microscanner https://get.aquasec.com/microscanner && chmod +x /microscanner RUN /microscanner $MICROSCANNER --full-output FROM release CMD ["gunicorn", "-b", ":5000", "app:app"]

37. Generate steps from Dockerfile stages steps: - name: test image:

    'docker:18.09' args: ['build', '--target', 'test', '-t', "${IMAGE}:test", '.'] - name: check image: 'docker:18.09' args: ['build', '--target', 'check', '-t', "${IMAGE}:check", '.'] - name: security image: 'docker:18.09' args: ['build', '--target', 'security', '-t', "${IMAGE}:check", '.'] - name: build image: 'docker:18.09' args: ['build', '-t', "${IMAGE}", '.']
38. None

39. Demo

40. The future

41. None

42. Other things that might happen - A unified backend for

    different CI systems on Kubernetes? - Custom scheduling algorithms for build? - Decouple description from consumption of build information? - Convertors for popular formats? - Opinionated per-language/framework builders, including full pipelines? Commence speculation

43. Conclusion

44. Conclusions - Knative Build is for tool builder But if

    you’re building CI and building tooling then you should join the conversation - Knative Build needs folks experimenting with UI Low level bits are important, but not as important as end user solutions - Custom Resources in Kubernetes are great Expect further commoditization of parts of the software delivery toolchain If all you remember is...

45. Questions?