GitLab CI Pipeline with Kaniko, Twistcli, and Crane

This blog post will explain how to efficiently set up a GitLab CI pipeline using Kaniko, Twistcli, and Crane to build docker images, scan them on Prisma Cloud via twistcli, and then push them to the registry. This setup is particularly useful for environments where Docker-in-Docker (DinD) is not feasible, such as self-hosted GitLab runners on AKS pods.

Why Kaniko?

Kaniko is a tool for building container images from a Dockerfile inside a container or Kubernetes cluster. Unlike DinD, It doesn’t require privileged mode, making it a more secure alternative.

Setting Up the Pipeline

Our pipeline is split into two stages to accommodate security scanning before pushing the image:

  1. Build and Scan: Use Kaniko to build the image and Twistcli to scan it.
  2. Push: Use Crane to push the scanned image to the Azure Container Registry (ACR).

Prerequisites

Pipeline Configuration

Here’s a step-by-step guide to configuring your GitLab CI pipeline.

Step 1: Define Pipeline Variables

First, define the necessary variables in your .gitlab-ci.yml file.


  IMAGE_NAME: "basic-image"
  IMAGE_TAG: "latest"
  ACR_REGISTRY: "ouracr.azurecr.io"
  PRISMA_CLOUD_COMPUTE_URL: "https://northamerica-northeast1.cloud.twistlock.com/canada-550205609"
  PRISMA_CLOUD_API_URL: "$PRISMA_CLOUD_COMPUTE_URL/api/v1/util"
Step 2: Authenticate with ACR

Add authentication details for your Azure Container Registry.

DOCKER_AUTH_CONFIG: |
  {
    "auths": {
      "ouracr.azurecr.io": {
        "auth": "<base64 encoded-client-id+secret>"
      }
    }
  }
Step 3: Build Stage

Configure the build stage using Kaniko.

stages:
  - test
  - build
  - push

docker:build:
  stage: build
  image: ouracr.azurecr.io/kaniko:latest #our own kaniko image with twistcli
  script:
    - /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --no-push --destination $ACR_REGISTRY/$IMAGE_NAME:$IMAGE_TAG --tar-path image.tar
    - twistcli images scan --tarball image.tar --address $PRISMA_CLOUD_COMPUTE_URL -u $PRISMA_ACCESS_KEY -p $PRISMA_SECRET
  artifacts:
    paths:
      - image.tar
    expire_in: 1 hour
    when: on_success
Step 4: Push Stage

Set up the push stage using Crane to push the image to ACR.


 docker:push:
  stage: push
  image: gcr.io/go-containerregistry/crane:debug
  script:
    - crane auth login -u "$acr_sp_name" -p "$acr_sp_pass" $ACR_REGISTRY
    - crane push image.tar $ACR_REGISTRY/$IMAGE_NAME:$IMAGE_TAG
  needs:
    - docker:build

Conclusion

This setup ensures your images are securely built and scanned with Prisma Cloud before being pushed to the registry. Splitting the pipeline into distinct stages lets you catch security issues early, block the pipeline before pushing a vulnerable image to the registry, and maintain a clean and secure CI/CD process.

Should you have any comments/questions? You are very welcome to comment. 🙂

Happy building and deploying!

vovando Avatar

Leave a Reply

Your email address will not be published. Required fields are marked *