Kpack, a Kubernetes-native container build platform, is a powerful tool that helps DevSecOps teams build and update containers automatically. It is already a core component of VMware’s commercial container build offering, VMware Tanzu Build Service. And today, the kpack technology you know and love has been added as the default container build solution in VMware Tanzu Community Edition, the freely available, open source distribution of the Kubernetes-based Tanzu platform. Read more about this announcement.
With the addition of kpack, Tanzu Community Edition enables users to build container images consistently and reliably and publish them to a container registry on Tanzu Community Edition. This is an important milestone and warrants a closer look at kpack, the problems it solves, and how it is reshaping the container build management landscape, so read on!
Containers, the building blocks of modern applications
DevSecOps teams love containers! It is a foundational technology that can improve development velocity, operational efficiency, and reduce risk. However, realizing these outcomes can be a challenge—especially if you have containers built by hand, or with disparate processes across your engineering teams.
Leading solutions in most quick-start container guides have led some DevOps teams on the path of using bespoke, dockerfile-based scripts. But these homegrown container build pipelines start showing rough edges as container usage scales into the hundreds and thousands. Time and again, we have heard from high-velocity development teams that while the dockerfile approach gets a project off the ground quickly, dockerfile-based containers are hard to productionize and scale. Developers can end up with bloated containers that are slow to boot, expensive to run, and more importantly expose an increased surface area for CVE attack. Developers struggle to maintain complicated dockerfiles, while operations teams face ongoing challenges to track the myriad dependencies and OS patch levels across a container fleet. Net result: an overly complex build system that slows down the development and deployment process.
The need of the hour is a dependable container build solution that standardizes container builds and automates the toil associated with managing containers at scale while still meeting an organization’s security and compliance requirements. This is where kpack shines. Kpack, the platform implementation of Cloud Native Buildpacks, builds and maintains OCI-compliant container images directly from source code without a dockerfile.
Kpack, a Kubernetes-native automated container build platform
Kpack utilizes unprivileged Kubernetes primitives to automatically build and update production-ready container images. Just bring your app and favorite buildpacks to kpack, and kpack will build it into an image. Any buildpack that adheres to Cloud Native Buildpack specifications, including open source Paketo buildpacks, can be used. Paketo, the open source buildpacks maintained by VMware, provides production-ready buildpacks for most popular languages and frameworks. Let’s break down this automated image build and rebuild process.
How kpack works
Kpack provides a declarative way to build and rebuild containers. It uses the concept of image configuration, which is a manifest file that describes your application.
The “what” aspect is captured in this image configuration where developers specify:
-
Source code location
-
Base operating system image
-
Build and runtime dependencies
-
Location of the container registry to push the container images to
Build and runtime dependencies are specified using the language-specific buildpacks. Both the base OS images and dependencies are typically centrally managed by a DevSecOps team and are provided to developers.
Once the developers specify this manifest, kpack takes care of building the image and then keeping it up-to-date, adhering to the repair aspect of the three R’s of enterprise security. In the background, kpack continuously monitors the system for any changes. Source code change, base OS patch, or buildpack updates will be auto-detected by the always-vigilant kpack and trigger a rebuild for all the affected container images in your ecosystem.
We recommend integrating kpack into your pre-existing CI/CD pipelines rather than directly into your source code repository. That way, kpack will trigger a container rebuild only after code has been committed and unit tests have passed.
Achieve critical DevSecOps outcomes using kpack
The top five reasons to pick up kpack, whether you are new to the technology or have been on the fence to make the move:
- Simplified code-to-container workflow – Kpack automates the initial creation of containers directly from source code; no need to fiddle with dockerfiles. It automatically rebuilds a container image on any update to the entire stack: new code commits, runtime dependencies, libraries, and OS updates.
- Strengthened security posture – Baked-in structured and comprehensive container metadata enables uniform tracking and patching of containers with the latest CVEs. Kpack also supports image signing via cosign.
- Simplified Day 2 operations – Kpack checks all the levers for a smooth Day 2 experience, including automated container image rebuild, granular platform-level controls, and centralized fleet management.
- No vendor lock-in – Kpack can be deployed on any Kubernetes platform. Additionally, images built by kpack are OCI compliant and can be pushed to any OCI-compliant registry and can run on any Kubernetes platform.
- Low-friction adoption – Kpack is a modular tool that slots into pre-existing CI/CD pipelines.
Try kpack for container automation using Tanzu Community Edition
Start your application modernization journey today with the latest freely available version of Tanzu Community Edition. The Tanzu Community Edition platform makes it easy for you to use kpack to build container images, push them to your secure Harbor registry, and then run them on Kubernetes.
