Build and Push Container Images
This comprehensive guide demonstrates modern container image building and deployment with Tekton, including:
Source Code Management: Clone repositories with security scanning
Container Building: Build multi-architecture images with Kaniko
Security Integration: Image signing and SLSA provenance generation
Registry Management: Push to multiple cloud registries with authentication
Supply Chain Security: Implement modern DevSecOps practices
If you're already familiar with Tekton and want to see the complete examples, you can jump to the full code samples.
Prerequisites
Kubernetes Cluster: You must have a Kubernetes cluster 1.28+ running and kubectl properly configured to issue commands to your cluster.
Install Tekton Pipelines (v0.55.0+):
# Install latest Tekton Pipelines
kubectl apply --filename https://storage.googleapis.com/tekton-releases/pipeline/latest/release.yaml
# Verify installation
kubectl get pods --namespace tekton-pipelines
See the Pipelines installation documentation for other installation options and vendor specific instructions.
Install Tekton CLI: Install the Tekton CLI,
tkn
, on your machine:
# Linux (x86_64)
curl -LO https://github.com/tektoncd/cli/releases/latest/download/tkn_Linux_x86_64.tar.gz
sudo tar xvzf tkn_Linux_x86_64.tar.gz -C /usr/local/bin/ tkn
# macOS
brew install tektoncd-cli
# Verify installation
tkn version
If this is your first time using Tekton Pipelines, we recommend that you complete the Getting Started tutorials before proceeding with this guide.
Clone the Repository
Create a new Pipeline, pipeline.yaml
, that uses the git clone Task to clone the source code from a git repository:
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: clone-build-push-secure
annotations:
tekton.dev/description: "Secure pipeline for cloning, building, and pushing container images"
spec:
description: |
This pipeline clones a git repo, performs security scanning, builds a Docker image with Kaniko,
signs the image, generates SLSA provenance, and pushes it to a registry with security attestations
params:
- name: repo-url
type: string
description: Git repository URL
- name: git-revision
type: string
description: Git revision to checkout
default: main
- name: image-reference
type: string
description: Container image reference
- name: dockerfile-path
type: string
description: Path to Dockerfile
default: "./Dockerfile"
workspaces:
- name: shared-data
description: Workspace for sharing data between tasks
- name: docker-credentials
description: Docker registry credentials
- name: signing-secrets
description: Image signing secrets
tasks:
- name: fetch-source
taskRef:
name: git-clone
kind: ClusterTask
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.git-revision)
- name: depth
value: "1"
- name: sslVerify
value: "true"
- name: security-scan
runAfter: ["fetch-source"]
taskRef:
name: trivy-scanner
kind: ClusterTask
workspaces:
- name: manifest-dir
workspace: shared-data
params:
- name: ARGS
value: ["fs", "--security-checks", "vuln,secret,config", "--severity", "HIGH,CRITICAL"]
- name: IMAGE
value: "aquasec/trivy:latest"
- name: build-push
runAfter: ["security-scan"]
taskRef:
name: kaniko
kind: ClusterTask
workspaces:
- name: source
workspace: shared-data
- name: dockerconfig
workspace: docker-credentials
params:
- name: IMAGE
value: $(params.image-reference)
- name: DOCKERFILE
value: $(params.dockerfile-path)
- name: CONTEXT
value: "."
- name: EXTRA_ARGS
value:
- "--build-arg=BUILDKIT_INLINE_CACHE=1"
- "--cache=true"
- "--cache-ttl=24h"
- "--skip-tls-verify"
- "--reproducible"
- "--single-snapshot"
- name: BUILDER_IMAGE
value: "gcr.io/kaniko-project/executor:v1.19.2"
- name: sign-image
runAfter: ["build-push"]
taskRef:
name: cosign-sign
workspaces:
- name: source
workspace: shared-data
- name: cosign-keys
workspace: signing-secrets
params:
- name: image
value: $(params.image-reference)
- name: cosign-experimental
value: "true"
- name: generate-provenance
runAfter: ["sign-image"]
taskRef:
name: slsa-provenance
workspaces:
- name: source
workspace: shared-data
params:
- name: image
value: $(params.image-reference)
- name: git-url
value: $(params.repo-url)
- name: git-revision
value: $(params.git-revision)
Then create the corresponding pipelinerun.yaml
file:
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: clone-build-push-secure-run-
labels:
tekton.dev/pipeline: clone-build-push-secure
spec:
pipelineRef:
name: clone-build-push-secure
podTemplate:
securityContext:
fsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
storageClassName: fast-ssd
- name: docker-credentials
secret:
secretName: docker-credentials
- name: signing-secrets
secret:
secretName: cosign-keys
params:
- name: repo-url
value: https://github.com/your-org/your-app.git
- name: git-revision
value: main
- name: image-reference
value: your-registry.com/your-org/your-app:latest
- name: dockerfile-path
value: "./Dockerfile"
For this how-to we are using a public repository as an example. You can also use git clone with private repositories, using SSH authentication.
Security Scanning and Vulnerability Assessment
Add security scanning to your pipeline before building the image:
tasks:
# ...existing tasks...
- name: security-scan
runAfter: ["fetch-source"]
taskRef:
name: trivy-scanner
kind: ClusterTask
workspaces:
- name: manifest-dir
workspace: shared-data
params:
- name: ARGS
value: ["fs", "--security-checks", "vuln,secret,config", "--severity", "HIGH,CRITICAL"]
- name: IMAGE
value: "aquasec/trivy:latest"
Install the Trivy scanner task:
kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/trivy-scanner/0.1/trivy-scanner.yaml
Build the container image with Kaniko
To build the image use the enhanced Kaniko Task with multi-architecture support:
tasks:
# ...existing tasks...
- name: build-push
runAfter: ["security-scan"]
taskRef:
name: kaniko
kind: ClusterTask
workspaces:
- name: source
workspace: shared-data
- name: dockerconfig
workspace: docker-credentials
params:
- name: IMAGE
value: $(params.image-reference)
- name: DOCKERFILE
value: $(params.dockerfile-path)
- name: CONTEXT
value: "."
- name: EXTRA_ARGS
value:
- "--build-arg=BUILDKIT_INLINE_CACHE=1"
- "--cache=true"
- "--cache-ttl=24h"
- "--skip-tls-verify"
- "--reproducible"
- "--single-snapshot"
- name: BUILDER_IMAGE
value: "gcr.io/kaniko-project/executor:v1.19.2"
Image Signing with Cosign
Add image signing to ensure supply chain security:
tasks:
# ...existing tasks...
- name: sign-image
runAfter: ["build-push"]
taskRef:
name: cosign-sign
workspaces:
- name: source
workspace: shared-data
- name: cosign-keys
workspace: signing-secrets
params:
- name: image
value: $(params.image-reference)
- name: cosign-experimental
value: "true"
Create the Cosign signing task:
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: cosign-sign
spec:
params:
- name: image
type: string
description: Image to sign
- name: cosign-experimental
type: string
default: "false"
workspaces:
- name: source
- name: cosign-keys
steps:
- name: sign
image: gcr.io/projectsigstore/cosign:v2.2.2
env:
- name: COSIGN_EXPERIMENTAL
value: $(params.cosign-experimental)
script: |
#!/bin/sh
set -e
# Sign the image
cosign sign --key $(workspaces.cosign-keys.path)/cosign.key $(params.image)
echo "Image $(params.image) signed successfully"
SLSA Provenance Generation
Generate SLSA provenance for supply chain attestation:
tasks:
# ...existing tasks...
- name: generate-provenance
runAfter: ["sign-image"]
taskRef:
name: slsa-provenance
workspaces:
- name: source
workspace: shared-data
params:
- name: image
value: $(params.image-reference)
- name: git-url
value: $(params.repo-url)
- name: git-revision
value: $(params.git-revision)
Create the SLSA provenance task:
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: slsa-provenance
spec:
params:
- name: image
type: string
- name: git-url
type: string
- name: git-revision
type: string
workspaces:
- name: source
steps:
- name: generate-provenance
image: gcr.io/projectsigstore/cosign:v2.2.2
script: |
#!/bin/sh
set -e
# Generate SLSA provenance
cat > /tmp/provenance.json << EOF
{
"builder": {
"id": "https://tekton.dev/tekton-pipelines"
},
"buildType": "tekton.dev/v1beta1.PipelineRun",
"invocation": {
"configSource": {
"uri": "$(params.git-url)",
"digest": {
"sha1": "$(params.git-revision)"
}
}
},
"metadata": {
"buildInvocationId": "$(context.pipelineRun.name)",
"buildStartedOn": "$(context.pipelineRun.start-time)",
"reproducible": true
},
"materials": [
{
"uri": "$(params.git-url)",
"digest": {
"sha1": "$(params.git-revision)"
}
}
]
}
EOF
# Attach provenance to image
cosign attest --predicate /tmp/provenance.json $(params.image)
echo "SLSA provenance generated and attached to $(params.image)"
Run your Pipeline
You are ready to install the Tasks and run the pipeline.
Install the
git-clone
,trivy-scanner
,kaniko
,cosign-sign
, andslsa-provenance
Tasks:tkn hub install task git-clone kubectl apply -f https://raw.githubusercontent.com/tektoncd/catalog/main/task/trivy-scanner/0.1/trivy-scanner.yaml tkn hub install task kaniko kubectl apply -f cosign-sign.yaml kubectl apply -f slsa-provenance.yaml
Apply the Secret with your Docker credentials.
kubectl apply -f docker-credentials.yaml
Apply the Pipeline:
kubectl apply -f pipeline.yaml
Create the PipelineRun:
kubectl create -f pipelinerun.yaml
This creates a PipelineRun with a unique name each time:
pipelinerun.tekton.dev/clone-build-push-run-4kgjr created
Use the PipelineRun name from the output of the previous step to monitor the Pipeline execution:
tkn pipelinerun logs clone-build-push-run-4kgjr -f
After a few seconds, the output confirms that the image was built and pushed successfully:
[fetch-source : clone] + '[' false '=' true ] [fetch-source : clone] + '[' false '=' true ] [fetch-source : clone] + '[' false '=' true ] [fetch-source : clone] + CHECKOUT_DIR=/workspace/output/ [fetch-source : clone] + '[' true '=' true ] [fetch-source : clone] + cleandir [fetch-source : clone] + '[' -d /workspace/output/ ] [fetch-source : clone] + rm -rf '/workspace/output//*' [fetch-source : clone] + rm -rf '/workspace/output//.[!.]*' [fetch-source : clone] + rm -rf '/workspace/output//..?*' [fetch-source : clone] + test -z [fetch-source : clone] + test -z [fetch-source : clone] + test -z [fetch-source : clone] + /ko-app/git-init '-url=https://github.com/google/docsy-example.git' '-revision=' '-refspec=' '-path=/workspace/output/' '-sslVerify=true' '-submodules=true' '-depth=1' '-sparseCheckoutDirectories=' [fetch-source : clone] {"level":"info","ts":1654637310.4419358,"caller":"git/git.go:170","msg":"Successfully cloned https://github.com/google/docsy-example.git @ 1c7f7e300c90cd690ca5be66b43fe58713bb21c9 (grafted, HEAD) in path /workspace/output/"} [fetch-source : clone] {"level":"info","ts":1654637320.384655,"caller":"git/git.go:208","msg":"Successfully initialized and updated submodules in path /workspace/output/"} [fetch-source : clone] + cd /workspace/output/ [fetch-source : clone] + git rev-parse HEAD [fetch-source : clone] + RESULT_SHA=1c7f7e300c90cd690ca5be66b43fe58713bb21c9 [fetch-source : clone] + EXIT_CODE=0 [fetch-source : clone] + '[' 0 '!=' 0 ] [fetch-source : clone] + printf '%s' 1c7f7e300c90cd690ca5be66b43fe58713bb21c9 [fetch-source : clone] + printf '%s' https://github.com/google/docsy-example.git [build-push : build-and-push] WARN [build-push : build-and-push] User provided docker configuration exists at /kaniko/.docker/config.json [build-push : build-and-push] INFO Retrieving image manifest klakegg/hugo:ext-alpine [build-push : build-and-push] INFO Retrieving image klakegg/hugo:ext-alpine from registry index.docker.io [build-push : build-and-push] INFO Built cross stage deps: map[] [build-push : build-and-push] INFO Retrieving image manifest klakegg/hugo:ext-alpine [build-push : build-and-push] INFO Returning cached image manifest [build-push : build-and-push] INFO Executing 0 build triggers [build-push : build-and-push] INFO Unpacking rootfs as cmd RUN apk add git requires it. [build-push : build-and-push] INFO RUN apk add git [build-push : build-and-push] INFO Taking snapshot of full filesystem... [build-push : build-and-push] INFO cmd: /bin/sh [build-push : build-and-push] INFO args: [-c apk add git] [build-push : build-and-push] INFO Running: [/bin/sh -c apk add git] [build-push : build-and-push] fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz [build-push : build-and-push] fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz [build-push : build-and-push] OK: 76 MiB in 41 packages [build-push : build-and-push] INFO[0012] Taking snapshot of full filesystem... [build-push : build-and-push] INFO[0013] Pushing image to us-east1-docker.pkg.dev/tekton-tests/tektonstuff/docsy:v1 [build-push : build-and-push] INFO[0029] Pushed image to 1 destinations [build-push : write-url] us-east1-docker.pkg.dev/my-tekton-tests/tekton-samples/docsy:v1
Full Code Samples (2025)
Complete Secure Pipeline
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: clone-build-push-secure
annotations:
tekton.dev/description: "Secure CI/CD pipeline with supply chain security"
spec:
description: |
This pipeline clones a git repo, performs security scanning, builds a Docker image with Kaniko,
signs the image, generates SLSA provenance, and pushes it to a registry with security attestations
params:
- name: repo-url
type: string
description: Git repository URL
- name: git-revision
type: string
description: Git revision to checkout
default: main
- name: image-reference
type: string
description: Container image reference
- name: dockerfile-path
type: string
description: Path to Dockerfile
default: "./Dockerfile"
workspaces:
- name: shared-data
description: Workspace for sharing data between tasks
- name: docker-credentials
description: Docker registry credentials
- name: signing-secrets
description: Image signing secrets
tasks:
- name: fetch-source
taskRef:
name: git-clone
kind: ClusterTask
workspaces:
- name: output
workspace: shared-data
params:
- name: url
value: $(params.repo-url)
- name: revision
value: $(params.git-revision)
- name: depth
value: "1"
- name: sslVerify
value: "true"
- name: security-scan
runAfter: ["fetch-source"]
taskRef:
name: trivy-scanner
kind: ClusterTask
workspaces:
- name: manifest-dir
workspace: shared-data
params:
- name: ARGS
value: ["fs", "--security-checks", "vuln,secret,config", "--severity", "HIGH,CRITICAL"]
- name: IMAGE
value: "aquasec/trivy:latest"
- name: build-push
runAfter: ["security-scan"]
taskRef:
name: kaniko
kind: ClusterTask
workspaces:
- name: source
workspace: shared-data
- name: dockerconfig
workspace: docker-credentials
params:
- name: IMAGE
value: $(params.image-reference)
- name: DOCKERFILE
value: $(params.dockerfile-path)
- name: CONTEXT
value: "."
- name: EXTRA_ARGS
value:
- "--build-arg=BUILDKIT_INLINE_CACHE=1"
- "--cache=true"
- "--cache-ttl=24h"
- "--reproducible"
- "--single-snapshot"
- name: BUILDER_IMAGE
value: "gcr.io/kaniko-project/executor:v1.19.2"
- name: sign-image
runAfter: ["build-push"]
taskRef:
name: cosign-sign
workspaces:
- name: source
workspace: shared-data
- name: cosign-keys
workspace: signing-secrets
params:
- name: image
value: $(params.image-reference)
- name: cosign-experimental
value: "true"
- name: generate-provenance
runAfter: ["sign-image"]
taskRef:
name: slsa-provenance
workspaces:
- name: source
workspace: shared-data
params:
- name: image
value: $(params.image-reference)
- name: git-url
value: $(params.repo-url)
- name: git-revision
value: $(params.git-revision)
Production PipelineRun
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: clone-build-push-secure-run-
labels:
tekton.dev/pipeline: clone-build-push-secure
app.kubernetes.io/version: "2025.1"
spec:
pipelineRef:
name: clone-build-push-secure
podTemplate:
securityContext:
fsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
seccompProfile:
type: RuntimeDefault
workspaces:
- name: shared-data
volumeClaimTemplate:
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: fast-ssd
- name: docker-credentials
secret:
secretName: docker-credentials
- name: signing-secrets
secret:
secretName: cosign-keys
params:
- name: repo-url
value: https://github.com/your-org/your-app.git
- name: git-revision
value: main
- name: image-reference
value: your-registry.com/your-org/your-app:$(context.pipelineRun.uid)
- name: dockerfile-path
value: "./Dockerfile"
Docker Credentials Secret
apiVersion: v1
kind: Secret
metadata:
name: docker-credentials
annotations:
tekton.dev/docker-0: https://your-registry.com
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ewogICJhdXRocyI6IHsKICAgICJodHRwczovL3lvdXItcmVnaXN0cnkuY29tIjogewogICAgICAidXNlcm5hbWUiOiAieW91ci11c2VybmFtZSIsCiAgICAgICJwYXNzd29yZCI6ICJ5b3VyLXBhc3N3b3JkIiwKICAgICAgImVtYWlsIjogInlvdXItZW1haWxAZXhhbXBsZS5jb20iLAogICAgICAiYXV0aCI6ICJiV0Y2ZFdKMWJubGlZWHA9IgogICAgfQogIH0KfQ==
Cosign Keys Secret
apiVersion: v1
kind: Secret
metadata:
name: cosign-keys
type: Opaque
data:
cosign.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0t...
cosign.pub: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0...
Container Registry Authentication
For different registry providers, configure your Docker credentials accordingly:
Docker Hub
apiVersion: v1
kind: Secret
metadata:
name: docker-credentials
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ewogICJhdXRocyI6IHsKICAgICJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOiB7CiAgICAgICJ1c2VybmFtZSI6ICJ5b3VyLXVzZXJuYW1lIiwKICAgICAgInBhc3N3b3JkIjogInlvdXItcGFzc3dvcmQiLAogICAgICAiZW1haWwiOiAieW91ci1lbWFpbEBleGFtcGxlLmNvbSIsCiAgICAgICJhdXRoIjogImJXRjZkV0oxYm5saVlYcD0iCiAgICB9CiAgfQp9
AWS ECR
# Create ECR credentials
aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 123456789012.dkr.ecr.us-west-2.amazonaws.com
# Create secret from Docker config
kubectl create secret generic docker-credentials \
--from-file=config.json=$HOME/.docker/config.json
Google Container Registry
# Create GCR credentials
cat key.json | docker login -u _json_key --password-stdin https://gcr.io
# Create secret
kubectl create secret generic docker-credentials \
--from-file=config.json=$HOME/.docker/config.json
Azure Container Registry
# Create ACR credentials
az acr login --name your-registry
# Create secret
kubectl create secret generic docker-credentials \
--from-file=config.json=$HOME/.docker/config.json
Advanced Features
Multi-Architecture Builds
For building multi-platform images, update the Kaniko task:
- name: build-push-multiarch
taskRef:
name: kaniko
kind: ClusterTask
params:
- name: IMAGE
value: $(params.image-reference)
- name: EXTRA_ARGS
value:
- "--customPlatform=linux/amd64"
- "--customPlatform=linux/arm64"
- "--cache=true"
- "--reproducible"
Cache Optimization
Enable advanced caching for faster builds:
- name: EXTRA_ARGS
value:
- "--cache=true"
- "--cache-repo=$(params.image-reference)-cache"
- "--cache-ttl=168h" # 1 week
- "--use-new-run"
- "--compressed-caching=false"
This guide provides a complete, production-ready pipeline with modern security practices, including vulnerability scanning, image signing, and SLSA provenance generation that meets 2025 DevSecOps standards.
Last updated