{"id":13451582,"url":"https://github.com/containerbuilding/cbi","last_synced_at":"2025-09-29T10:31:05.914Z","repository":{"id":57501226,"uuid":"127116145","full_name":"containerbuilding/cbi","owner":"containerbuilding","description":"Container Builder Interface for Kubernetes with support for several backends (Docker, BuildKit, Buildah, kaniko, img, Google Cloud Container Builder, Azure Container Registry Build, OpenShift Source-to-Image...)","archived":true,"fork":false,"pushed_at":"2019-05-14T18:26:32.000Z","size":4474,"stargazers_count":243,"open_issues_count":15,"forks_count":18,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-01-17T04:46:08.015Z","etag":null,"topics":["buildah","buildkit","docker","docker-image","dockerfile","kaniko","kubernetes","opencontainers"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/containerbuilding.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-03-28T09:23:48.000Z","updated_at":"2024-10-02T04:09:54.000Z","dependencies_parsed_at":"2022-09-14T19:41:44.290Z","dependency_job_id":null,"html_url":"https://github.com/containerbuilding/cbi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerbuilding%2Fcbi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerbuilding%2Fcbi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerbuilding%2Fcbi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/containerbuilding%2Fcbi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/containerbuilding","download_url":"https://codeload.github.com/containerbuilding/cbi/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234609323,"owners_count":18859849,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["buildah","buildkit","docker","docker-image","dockerfile","kaniko","kubernetes","opencontainers"],"created_at":"2024-07-31T07:00:56.294Z","updated_at":"2025-09-29T10:31:02.688Z","avatar_url":"https://github.com/containerbuilding.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# :warning: CBI is no longer under active development, in favor of [Tekton](https://tekton.dev/).  See [`tektoncd/pipeline`](https://github.com/tektoncd/pipeline) and [`tektoncd/catalog`](https://github.com/tektoncd/catalog).\n\n---\n\n# CBI: Container Builder Interface for Kubernetes\n\nCBI provides a vendor-neutral interface for building (and pushing) container images on top of a Kubernetes cluster,\nwith support for several backends such as [Docker](https://www.docker.com), [BuildKit](https://github.com/moby/buildkit), [Buildah](https://github.com/projectatomic/buildah), [kaniko](https://github.com/GoogleCloudPlatform/kaniko), [img](https://github.com/genuinetools/img), [Google Cloud Container Builder](https://cloud.google.com/container-builder/), [Azure Container Registry Build](https://azure.microsoft.com/services/container-registry/) and [OpenShift Source-to-Image (S2I)](https://github.com/openshift/source-to-image).\n\n![cbi.png](./docs/cbi.png)\n\n\u003c!-- TOC generator: https://github.com/stakiran/intoc --\u003e\n\n - [Current status](#current-status)\n   - [Specification](#specification)\n   - [Implementation](#implementation)\n - [Quick start](#quick-start)\n   - [Installation](#installation)\n   - [Run your first `buildjob`](#run-your-first-buildjob)\n - [Advanced usage](#advanced-usage)\n   - [Push to a registry](#push-to-a-registry)\n   - [Build contexts](#build-contexts)\n     - [ConfigMap context](#configmap-context)\n     - [Git context](#git-context)\n     - [HTTP(S) context](#https-context)\n     - [Rclone context (S3, Dropbox, SFTP, and many)](#rclone-context-s3-dropbox-sftp-and-many)\n   - [Plugin](#plugin)\n     - [Specify the plugin explicitly](#specify-the-plugin-explicitly)\n     - [Google Cloud Container Builder plugin](#google-cloud-container-builder-plugin)\n     - [Azure Container Registry Build plugin](#azure-container-registry-build-plugin)\n     - [Openshift Source-to-Image plugin](#openshift-source-to-image-plugin)\n - [Design (subject to change)](#design-subject-to-change)\n   - [Components](#components)\n   - [Build context](#build-context)\n     - [BuildkitSession (Planned)](#buildkitsession-planned)\n - [Contribute to CBI](#contribute-to-cbi)\n   - [Testing](#testing)\n   - [Local testing with DinD](#local-testing-with-dind)\n - [FAQs](#faqs)\n   - [Q: Does CBI standardize the Dockerfile specification?](#q-does-cbi-standardize-the-dockerfile-specification)\n   - [Q: Does CBI replace BuildKit?](#q-does-cbi-replace-buildkit)\n   - [Q: Is CBI a part of Kubernetes, a Kubernetes incubator, or a CNCF project?](#q-is-cbi-a-part-of-kubernetes-a-kubernetes-incubator-or-a-cncf-project)\n\n## Current status\n\n### Specification\n\n* CBI CRD: pre-alpha, see [`pkg/apis/cbi/v1alpha1/types.go`](pkg/apis/cbi/v1alpha1/types.go).\n* CBI plugin API: pre-alpha, see [`pkg/plugin/api/plugin.proto`](pkg/plugin/api/plugin.proto).\n\n### Implementation\n\n* CBI controller daemon (`cbid`): pre-alpha, see [`cmd/cbid`](cmd/cbid).\n\n* Plugins (all of them are pre-alpha):\n\nPlugin    |Backend                                                                                   |Dockerfile|`cloudbuild.yaml`|OpenShift S2I|BuildKit LLB|ACB Pipeline\n----------|------------------------------------------------------------------------------------------|----------|-----------------|-------------|------------|------------\n`docker`  |[Docker](https://www.docker.com)                                                          |Yes ✅    |                 |             |            |\n`buildkit`|[BuildKit](https://github.com/moby/buildkit)                                              |Yes ✅    |                 |             |Planned     |\n`buildah` |[Buildah](https://github.com/projectatomic/buildah)                                       |Yes ✅    |                 |             |            |\n`kaniko`  |[kaniko](https://github.com/GoogleCloudPlatform/kaniko)                                   |Yes ✅    |                 |             |            |\n`img`     |[img](https://github.com/genuinetools/img)                                                |Yes ✅    |                 |             |            |\n`gcb`     |[Google Cloud Container Builder](https://cloud.google.com/container-builder/)             |Yes ✅    |Yes ✅           |             |            |\n`acb`     |[Azure Container Registry Build](https://azure.microsoft.com/services/container-registry/)|Yes ✅    |                 |             |Planned     |Planned\n`s2i`     |[OpenShift Source-to-Image (S2I)](https://github.com/openshift/source-to-image)           |          |                 |Yes ✅       |            |\n\n* Planned plugins (subject to change): [Bazel](https://github.com/bazelbuild/rules_docker), [Singularity](http://singularity.lbl.gov), [OpenShift Image Builder](https://github.com/openshift/imagebuilder), [Orca](https://github.com/cyphar/orca-build), ...\n\n\n* Context providers (available for all plugins)\n    * ConfigMap\n    * Git, with support for SSH secret\n    * HTTP(S)\n    * [Rclone](https://rclone.org): Amazon Drive, Amazon S3, Backblaze B2, Box, Ceph, DigitalOcean Spaces, Dreamhost, Dropbox, FTP, Google Cloud Storage, Google Drive, HTTP, Hubic, IBM COS S3, Memset Memstore, Microsoft Azure Blob Storage, Microsoft OneDrive, Minio, Nextloud, OVH, Openstack Swift, Oracle Cloud Storage, Ownloud, pCloud, put.io, QingStor, Rackspace Cloud Files, SFTP, Wasabi, WebDAV, Yandex Disk\n\n* Planned context providers: [BuildKitSession](https://github.com/moby/buildkit/blob/b7424f41fdf60b178c5227abdd54cb615161123d/session/manager.go#L46)\n\nPlease feel free to open PRs to add other plugins.\n\n## Quick start\n\nRequires Kubernetes 1.9 or later.\n\n### Installation\n\n```console\n$ kubectl apply -f https://raw.githubusercontent.com/containerbuilding/cbi/master/cbi-latest.yaml\n```\n\nEverything (except `CustomResourceDefinition`, `ClusterRole`, and `ClusterRoleBinding`) will be installed to the `cbi-system` namespace.\n\nYou may edit the YAML file to change the namespace or to add `NetworkPolicy`.\n\n\u003cdetails\u003e\n\u003csummary\u003eHint for Google Kubernetes Engine (GKE) users\u003c/summary\u003e\n\u003cp\u003e\n If you hit \u003ca href=\"https://stackoverflow.com/questions/46307325/gke-clusterrolebinding-for-cluster-admin-fails-with-permission-error\"\u003ean error while creating \u003ccode\u003eclusterrolebindings\u003c/code\u003e\u003c/a\u003e, you need to execute \u003ccode\u003ekubectl\u003c/code\u003e command as follows:\n\n \u003cpre\u003e\n$ pw=$(gcloud --format json container clusters describe ${YOUR_GKE_CLUSTER_NAME} | jq -r .masterAuth.password)\n$ kubectl --username=admin --password=${pw} ...\n \u003c/pre\u003e\n \u003c/p\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHint for OpenShift users\u003c/summary\u003e\n\u003cp\u003e\n\u003ccode\u003eoc login -u system:admin -n default\u003c/code\u003e might be needed before running \u003ccode\u003ekubectl\u003c/code\u003e.\n\nYou would also need to enable privileged containers for most plugins. (how?)\n\u003c/p\u003e\n\u003c/details\u003e\n\nThe CBI controller daemon and the following plugins will be installed:\n\nPlugin    | Requirements\n--------- | ------------------------------\n`docker`  | Docker needs to be installed on the hosts\n`buildah` | Privileged containers needs to be enabled\n`buildKit`| Privileged containers needs to be enabled\n`kaniko`  | None (Google Cloud is not needed)\n`img`     | Privileged containers needs to be enabled (See [`kubernetes/community#1934`](https://github.com/kubernetes/community/pull/1934) and [Jess's blog](https://blog.jessfraz.com/post/building-container-images-securely-on-kubernetes/) for the ongoing work to remove this requirement)\n`gcb`     | Requires Google Cloud service account with IAM roles, see [this section](#google-cloud-container-builder-plugin) (Your cluster does not need to be GKE or on GCE)\n`acb`     | Requires Azure service principal with IAM roles, see [this section](#azure-container-registry-build-plugin) (Your cluster does not need to be AKS or on Azure VMs)\n`s2i`     | Docker needs to be installed on the hosts (OpenShift is not needed)\n\nThe default plugin is `docker`.\n\nYou may edit the YAML file to remove unneeded plugins or change the priorities.\n\n### Run your first `buildjob`\n\nCreate a buildjob `ex-git-nopush` from [`examples/ex-git-nopush.yaml`](examples/ex-git-nopush.yaml):\n```console\n$ kubectl create -f https://raw.githubusercontent.com/containerbuilding/cbi/master/examples/ex-git-nopush.yaml\nbuildjob \"ex-git-nopush\" created\n```\n\nMake sure the buildjob is created:\n```console\n$ kubectl get buildjobs\nNAME      AGE\nex-git-nopush       3s\n```\n\nInspect the underlying job and the result:\n```console\n$ kubectl get job $(kubectl get buildjob ex-git-nopush --output=jsonpath={.status.job})\nNAME      DESIRED   SUCCESSFUL   AGE\nex-git-nopush-job   1         1            30s\n$ kubectl logs $(kubectl get pods --selector=job-name=ex-git-nopush-job --show-all --output=jsonpath={.items..metadata.name})\nSending build context to Docker daemon 79.87 kB\nStep 1 : FROM alpine:latest\n...\nSuccessfully built bef4a548fb02\n```\n\nDelete the buildjob (and the underlying job)\n```console\n$ kubectl delete buildjobs ex-git-nopush\nbuildjob \"ex-git-nopush\" deleted\n```\n\n## Advanced usage\n\n### Push to a registry\n\nFirst you need to create a credential using `kubectl create secret docker-registry ...`.\nSee [Kubernetes's manual](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).\n\n\u003cdetails\u003e\n\u003csummary\u003eHint for Amazon Elastic Container Registry (ECR) users\u003c/summary\u003e\n\u003cp\u003e\nYou can create the credential as follows (expires per 12 hours):\n\n\u003cpre\u003e\n$ TOKEN=`aws ecr get-authorization-token --output text --query authorizationData[].authorizationToken | base64 -d | cut -d: -f2`\n$ kubectl create secret docker-registry my-registry-secret \\\n --docker-server=https://12345678.dkr.ecr.ap-northeast-1.amazonaws.com \\\n --docker-username=AWS \\\n --docker-password=\"${TOKEN}\" \\\n --docker-email=\"${EMAIL}\"\n\u003c/pre\u003e\n\u003c/p\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHint for Google Container Registry (GCR) users\u003c/summary\u003e\n\u003cp\u003e\nSee \u003ca href=\"http://docs.heptio.com/content/private-registries/pr-gcr.html\"\u003ehere\u003c/a\u003e for creating the credential.\n\u003c/p\u003e\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eHint for Azure Container Registry (ACR) users\u003c/summary\u003e\n\u003cp\u003e\nSee \u003ca href=\"https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal\"\u003ehere\u003c/a\u003e for creating the credential.\n\u003c/p\u003e\n\u003c/details\u003e\n\nYou can specify the registry credential via `spec.registry.secretRef.name`.\n\nExample manifest:\n\n```yaml\napiVersion: cbi.containerbuilding.github.io/v1alpha1\nkind: BuildJob\nmetadata:\n  name: ex-git-push\nspec:\n  registry:\n    target: example.com/foo/bar:baz\n    push: true\n    secretRef:\n      name: docker-registry-secret-name\n  language:\n    kind: Dockerfile\n  context:\n    kind: Git\n    git:\n      url: ssh://me@git.example.com/foo/bar.git\n```\n\nNote: for Google Cloud Container Builder plugin, please refer to the [Google Cloud Container Builder plugin](#google-cloud-container-builder-plugin) section.\n\nNote: for Azure Container Registry Build plugin, please refer to the [Azure Container Registry Build plugin](#azure-container-registry-build-plugin) section.\n\n### Build contexts\n\n#### ConfigMap context\n\nThis is the easiest but only suitable for trivial images.\n\nExample manifest:\n\n```yaml\napiVersion: v1\nkind: ConfigMap\nmetadata:\n  name: ex-configmap-nopush-configmap\ndata:\n  Dockerfile: |-\n    FROM busybox\n    ADD hello /\n    RUN cat /hello\n  hello: \"hello, world\"\n---\napiVersion: cbi.containerbuilding.github.io/v1alpha1\nkind: BuildJob\nmetadata:\n  name: ex-configmap-nopush\nspec:\n  registry:\n    target: example.com/foo/ex-configmap-nopush\n    push: false\n  language:\n    kind: Dockerfile\n  context:\n    kind: ConfigMap\n    configMapRef:\n      name: ex-configmap-nopush-configmap\n```\n\n#### Git context\n\nGit context is suitable for most cases.\n\nIf the repo is private, you need to create a SSH secret as follows, and specify the secret via `spec.context.git.sshSecretRef.name`:\n\n```console\n$ kubectl create secret generic ssh-secret-name --from-file=id_rsa=$HOME/.ssh/id_rsa --from-file=config=$HOME/.ssh/config --from-file=known_hosts=$HOME/.ssh/known_hosts\n```\n\nExample manifest:\n\n```yaml\napiVersion: cbi.containerbuilding.github.io/v1alpha1\nkind: BuildJob\nmetadata:\n  name: ex-git-nopush\nspec:\n  registry:\n    target: example.com/foo/bar:baz\n    push: false\n  language:\n    kind: Dockerfile\n  context:\n    kind: Git\n    git:\n# only url is mandatory. See git(1) for url spec.\n      url: ssh://me@git.example.com/foo/bar.git\n      revision: master\n      sshSecretRef:\n        name: ssh-secret-name\n```\n\n#### HTTP(S) context\n\nHTTP(S) context provider allows using tar(.gz) archive as a build context.\nThis is useful for sending large contexts without interacting with a git repo.\n\nYou can create a temporary HTTP server in the Kubernetes cluster, and upload a context tarball as follows.\n```console\n$ kubectl run nginx --image nginx:alpine --port 80\n$ kubectl expose deployment nginx\n$ tar cvf a.tar /path/to/your-context-directory\n$ kubectl cp a.tar $(kubectl get pod -l run=nginx -o jsonpath={..metadata.name}):/usr/share/nginx/html\n```\n\nExample manifest:\n\n```yaml\napiVersion: cbi.containerbuilding.github.io/v1alpha1\nkind: BuildJob\nmetadata:\n  name: ex\nspec:\n  registry:\n    target: example.com/foo/bar:baz\n    push: false\n  language:\n    kind: Dockerfile\n  context:\n    kind: HTTP\n    http:\n      url: http://nginx/a.tar\n```\n\n#### Rclone context (S3, Dropbox, SFTP, and many)\n\n[Rclone](https://rclone.org) supports fetching files and directories from various storage services: Amazon Drive, Amazon S3, Backblaze B2, Box, Ceph, DigitalOcean Spaces, Dreamhost, Dropbox, FTP, Google Cloud Storage, Google Drive, HTTP, Hubic, IBM COS S3, Memset Memstore, Microsoft Azure Blob Storage, Microsoft OneDrive, Minio, Nextloud, OVH, Openstack Swift, Oracle Cloud Storage, Ownloud, pCloud, put.io, QingStor, Rackspace Cloud Files, SFTP, Wasabi, WebDAV, Yandex Disk.\n\nAny backend supported by Rclone should work with CBI, although only Amazon S3 is tested with CBI currently.\n\nTo use Rclone context provider, you need to create a secret from your `~/.config/rclone/rclone.conf`, and specify as `spec.context.rclone.secretRef`.\n\n```console\n$ kubectl create secret generic my-rclone-secret --from-file=$HOME/.config/rclone/rclone.conf\n```\n\nExample manifest:\n\n```yaml\napiVersion: cbi.containerbuilding.github.io/v1alpha1\nkind: BuildJob\nmetadata:\n  name: ex-rclone-nopush\nspec:\n  registry:\n    target: example.com/foo/ex-rclone-nopush\n    push: false\n  language:\n    kind: Dockerfile\n  context:\n    kind: Rclone\n    rclone:\n      remote: s3\n      path: my-s3-bucket/some-directory\n      secretRef:\n        name: my-rclone-secret\n```\n\nTo use SFTP remote, you might need to specify `spec.context.rclone.sshSecretRef` as in Git context.\n\n### Plugin\n\n#### Specify the plugin explicitly\n\nUsually. the plugin is automatically selected by the CBI controller daemon.\n\nHowever, if you prefer a specific plugin for some reason such as performance or stability,\nyou can specify the plugin explicitly using `spec.pluginSelector` constraint.\n\ne.g. for Buildah plugin (`plugin.name=buildah`),\n\n```yaml\napiVersion: cbi.containerbuilding.github.io/v1alpha1\nkind: BuildJob\nmetadata:\n  ...\nspec:\n  pluginSelector: plugin.name=buildah\n  ...\n```\n\n#### Google Cloud Container Builder plugin\n\nYou need to create a Google Cloud service account JSON with the following IAM roles in https://console.cloud.google.com/iam-admin/serviceaccounts :\n\n * `Cloud Container Builder Editor`\n * `Project Viewer`\n * `Storage Admin`\n\nAnd create a corresponding Kubernetes secret that contains `json` as follows:\n\n```console\n$ kubectl create secret generic my-gcb --from-file=json=my-gcb-service-account.json\n```\n\nYou don't need to use GKE (of course you can use though).\n\nExample manifest:\n\n```yaml\napiVersion: cbi.containerbuilding.github.io/v1alpha1\nkind: BuildJob\nmetadata:\n  name: ex-git-push\n  annotations:\n    cbi-gcb/secret: my-gcb\n    cbi-gcb/project: my-gcp-project\nspec:\n  registry:\n    target: gcr.io/example/foo\n    push: true\n  language:\n    kind: Dockerfile\n  context:\n    kind: Git\n    git:\n      url: https://git.example.com/foo/bar.git\n  pluginSelector: plugin.name=gcb\n```\n\nNote:\n\n* `metadata.annotations[\"cbi-gcb/secret\"]` needs to be set to the name of the secret\n* `metadata.annotations[\"cbi-gcb/project\"]` needs to be set to the name of the Google Cloud project\n* `spec.registry.target` needs to be in the `gcr.io/*` or `*.gcr.io/*` namespace.\n* `spec.registry.push` needs to be `true`\n* `spec.registry.secretRef` must not be set\n\n\nIn addition to Dockerfile, `gcb` plugin also supports building images from `cloudbuild.yaml`.\n\nSee [`examples/ex-google-cloudbuild-push.yaml.sh`](examples/ex-google-cloudbuild-push.yaml.sh).\n\n#### Azure Container Registry Build plugin\n\nYou need to [create a Azure service principal with a PEM/DER cert](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli):\n\n```console\n$ az ad sp create-for-rbac --name ServicePrincipalName --create-cert\n{\n  \"appId\": \"...\",\n  \"displayName\": \"...\"\",\n  \"fileWithCertAndPrivateKey\": \"my-acb.pem\",\n  \"name\": \"http://...\",\n  \"password\": null,\n  \"tenant\": \"...\"\n}\n```\n\nAnd create a corresponding Kubernetes secret that contains `cert` as follows:\n\n```console\n$ kubectl create secret generic my-acb --from-file=cert=my-acb.pem\n```\n\nYou don't need to use AKS (of course you can use though).\n\nExample manifest:\n\n```yaml\napiVersion: cbi.containerbuilding.github.io/v1alpha1\nkind: BuildJob\nmetadata:\n  name: ex-git-push\n  annotations:\n    cbi-acb/secret: my-acb\n    cbi-acb/app-id: APP_ID\n    cbi-acb/tenant: TENANT\nspec:\n  registry:\n    target: example.azurecr.io/example/foo\n    push: true\n  language:\n    kind: Dockerfile\n  context:\n    kind: Git\n    git:\n      url: https://git.example.com/foo/bar.git\n  pluginSelector: plugin.name=acb\n```\n\nNote:\n\n* `metadata.annotations[\"cbi-acb/secret\"]` needs to be set to the name of the secret\n* `metadata.annotations[\"cbi-acb/app-id\"]` needs to be set to the App ID.\n* `metadata.annotations[\"cbi-acb/tenant\"]` needs to be set to the tenant ID.\n* `spec.registry.target` needs to be in the  `*.azurecr.io/*` namespace.\n* `spec.registry.secretRef` must not be set\n* To prevent the password from being leaked via the `az login` command line strings in Kubernetes Job objects, we don't support password-based authentication for the service principal.\n  You may need to create an additional password-based service principal for `ImagePullSecret`. See [here](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal).\n\n#### Openshift Source-to-Image plugin\n\n`s2i` plugin supports building images from S2I source but it does not support Dockerfile.\n\nSee [`examples/ex-s2i-nopush.yaml`](examples/ex-s2i-nopush.yaml).\n\n## Design (subject to change)\n\n### Components\n\nCBI is composed of the following specifications and implementations.\n\nSpecifications:\n\n* CBI CRD: Kubernetes custom resource definition for `buildjob` objects.\n* CBI plugin API: gRPC API used for connecting `cbid` to plugins.\n\nImplementations:\n\n* CBI controller daemon (`cbid`): a controller that watches creation of CBI CRD objects and creates [Kubernetes Job](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/#what-is-a-job) objects correspondingly.\n* CBI CLI (`cbictl`): a reference CLI implementation for `cbid`\n* CBI plugins: the actual pods that build and push images.\n* CBI session manager (`cbism`): pods that speak [BuildKit session gRPC](https://github.com/moby/buildkit/blob/9f6d9a9e78f18b2ffc6bc4f211092722685cc853/session/filesync/filesync.proto) (or other similar protocols) for supporting large build context and diffcopy.\n\nThe concept of CBI session manager (`cbism`) is decoupled from `cbid`, so as to make `cbid` free from I/O overhead.\n\n### Build context\n\nCBI defines the following values for `context.kind`:\n\n* `ConfigMap`: Kubernetes config map. Only suitable for small contexts.\n* `Git`: git repository, with support for Kubernetes secrets \n* `HTTP`: HTTP(S) tar(.gz) ball\n* `Rclone`: Rclone\n\nPlugin implementations SHOULD implement `ConfigMap`, `Git`, and `HTTP`, but none of them is mandatory.\nAlso, implementations MAY accept non-standard `context.kind` values.\n\nFor ease of implementation of these context providers, CBI provides [`cbipluginhelper` image](./Dockerfile.cbipluginhelper) that contains CLI utilities for accessing these remote contexts.\nPlugin implementations may inject the `cbipluginhelper` image with an `emptyDir` volume into the `initContainers` of the job pods, so as to support contexts that are not natively supported by the backends.\n\ne.g. CBI plugin for Docker (`cbi-docker`) supports Rclone context using `cbipluginhelper`, while Docker itself does not support Rclone.\n\n#### BuildkitSession (Planned)\n\nIf `BuildkitSession` is specified as `context.kind`, the pod ID of a CBI session manager, TCP port number, and the session ID would be set to the status fields of the `BuildJob` object.\n\nThe client is expected to send the context to the specified session manager pod using BuildKit session gRPC (via [the HTTP/1.1 gate](https://github.com/moby/buildkit/blob/b7424f41fdf60b178c5227abdd54cb615161123d/session/manager.go#L46)).\nTo connect to the pod, the client may use `kubectl port-forward` or `kubectl exec ... socat`.\n\nFuture version would also provide [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) for exposing the CBI session manager in more efficient ways.\n\n## Contribute to CBI\n\n* Vendoring is managed via [dep](https://github.com/golang/dep).\n* To update CRD definition, please edit [`pkg/apis/cbi/v1alpha1/types.go`](pkg/apis/cbi/v1alpha1/types.go) and run `hack/codegen/update-codegen.sh`. Please do not edit autogenerated files manually.\n\n### Testing\n\n```console\n$ ./hack/build/build-push-apply.sh your-registry.example.com:5000/cbi test20180501\n```\n\nThis command performs:\n\n* Build and push CBI images as `your-registry.example.com:5000/cbi/{cbid,cbi-docker,...}:test20180501`\n* Generate `/tmp/cbi.generated.yaml` so that the manifest uses the images on `your-registry.example.com:5000/cbi/{cbid,cbi-docker,...}:test20180501`.\n* Execute `kubectl apply -f /tmp/cbi.generated.yaml`.\n\n### Local testing with DinD\n\nYou may use `hack/dind/up.sh` for setting up a local Kubernetes cluster and a local registry using Docker-in-Docker.\n\n```console\n$ ./hack/dind/up.sh\n$ DOCKER_HOST=localhost:62375 ./hack/build/build-push-apply.sh cbi-registry:5000/cbi test20180501\n$ ./hack/dind/down.sh\n```\nThe Kubernetes cluster and the \"bootstrap\" Docker listening at `localhost:62375` can connect to `cbi-registry:5000` without auth.\n\n\n## FAQs\n\n### Q: Does CBI standardize the Dockerfile specification?\n\nA: No, the Dockerfile specification has been maintained by Docker, Inc.\n\nCBI itself is neutral to any image building instruction language (e.g. Dockerfile).\n\nHowever, most backend implementations would accept Dockerfile.\n\n### Q: Does CBI replace BuildKit?\n\nA: No, CBI just provides an abstract interface for several backends such as BuildKit.\n\n### Q: Is CBI a part of Kubernetes, a Kubernetes incubator, or a CNCF project?\n\nA: Currently no, unlike CRI/CNI/CSI.\n\nBut it'd be good to donate CBI to such a vendor-neutral organization if CBI becomes popular.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainerbuilding%2Fcbi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontainerbuilding%2Fcbi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontainerbuilding%2Fcbi/lists"}