Docker Build

Skaffold supports building with Dockerfile

  1. locally
  2. in cluster
  3. on Google CloudBuild

Dockerfile with Docker locally

If you have Docker installed, Skaffold can be configured to build artifacts with the local Docker daemon.

By default, Skaffold connects to the local Docker daemon using Docker Engine APIs, though it can also use the Docker command-line interface instead, which enables artifacts with BuildKit.

After the artifacts are successfully built, Docker images will be pushed to the remote registry. You can choose to skip this step.


To use the local Docker daemon, add build type local to the build section of skaffold.yaml. The following options can optionally be configured:

Option Description Default
push should images be pushed to a registry. If not specified, images are pushed only if the current Kubernetes context connects to a remote cluster.
useDockerCLI use docker command-line interface instead of Docker Engine APIs. false
useBuildkit use BuildKit to build Docker images. false


The following build section instructs Skaffold to build a Docker image with the local Docker daemon:

  - image:
  local: {}

Which is equivalent to:

  - image:
    useDockerCLI: false
    useBuildkit: false

Dockerfile in-cluster with Kaniko

Kaniko is a Google-developed open source tool for building images from a Dockerfile inside a container or Kubernetes cluster. Kaniko enables building container images in environments that cannot easily or securely run a Docker daemon.

Skaffold can help build artifacts in a Kubernetes cluster using the Kaniko image; after the artifacts are built, kaniko must push them to a registry.


To use Kaniko, add build type kaniko to the build section of skaffold.yaml. The following options can optionally be configured:

Option Description Default
flags additional flags to be passed to Kaniko command line. See Kaniko Additional Flags. Deprecated - instead the named, unique fields should be used, e.g. buildArgs, cache, target. []
dockerfile locates the Dockerfile relative to workspace. Dockerfile
target Dockerfile target name to build.
buildArgs arguments passed to the docker build. It also accepts environment variables via the go template syntax. {}
buildContext where the build context for this artifact resides.
image Docker image used by the Kaniko pod. Defaults to the latest released version of
cache configures Kaniko caching. If a cache is specified, Kaniko will use a remote cache which will speed up builds.
reproducible used to strip timestamps out of the built image. false
skipTLS skips TLS verification when pulling and pushing the image. false

The buildContext can be either:

Option Description
gcsBucket GCS bucket to which sources are uploaded. Kaniko will need access to that bucket to download the sources.
localDir configures how Kaniko mounts sources directly via an emptyDir volume.

Since Kaniko builds images directly to a registry, it requires active cluster credentials. These credentials are configured in the cluster section with the following options:

Option Description Default
HTTP_PROXY for kaniko pod.
HTTPS_PROXY for kaniko pod.
pullSecret path to the Google Cloud service account secret key file.
pullSecretName name of the Kubernetes secret for pulling the files from the build context and pushing the final image. If given, the secret needs to contain the Google Cloud service account secret key under the key kaniko-secret. kaniko-secret
pullSecretMountPath path the pull secret will be mounted at within the running container.
namespace Kubernetes namespace. Defaults to current namespace in Kubernetes configuration.
timeout amount of time (in seconds) that this build is allowed to run. Defaults to 20 minutes (20m).
dockerConfig describes how to mount the local Docker configuration into a pod.
resources define the resource requirements for the kaniko pod.
concurrency how many artifacts can be built concurrently. 0 means “no-limit” Defaults to 0.

To set up the credentials for Kaniko refer to the kaniko docs. The recommended way is to store the pull secret in Kubernetes and configure pullSecretName. Alternatively, the path to a credentials file can be set with the pullSecret option:

    pullSecretName: pull-secret-in-kubernetes
    # OR
    pullSecret: path-to-service-account-key-file

Similarly, when pushing to a docker registry:

      path: ~/.docker/config.json
      # OR
      secretName: docker-config-secret-in-kubernetes

Note that the Kubernetes secret must not be of type which stores the config json under the key ".dockerconfigjson", but an opaque secret with the key "config.json".


The following build section, instructs Skaffold to build a Docker image with Kaniko:

    - image:
          gcsBucket: YOUR-BUCKET
    pullSecretName: YOUR-PULL-SECRET-NAME

Dockerfile remotely with Google Cloud Build

Skaffold can build the Dockerfile image remotely with Google Cloud Build.


To configure, add googleCloudBuild to build section to skaffold.yaml


The following build section, instructs Skaffold to build a Docker image with Google Cloud Build:

  - image:
    projectId: YOUR-GCP-PROJECT
Last modified November 6, 2019: code review changes (579d01a32)