Using Docker Inside Kubernetes

Today I want to present a specific case in which privileges are granted to a container and give some alternatives. One of the most popular Continuous Integration tools is Jenkins. It stands out for the amount of plugins that its community makes available to users and the freedom it grants to create pipelines. In addition, it offers us images with which it can be deployed in containers, including in a Kubernetes cluster!

In a previous post, I talked about the problem of granting privileges to a container and the risks that this entails. Today I want to present a specific case in which privileges are granted to a container and give some alternatives.

One of the most popular Continuous Integration tools is Jenkins. It stands out for the amount of plugins that its community makes available to users and the freedom it grants to create pipelines. In addition, it offers us images with which it can be deployed in containers, including in a Kubernetes cluster!

And you would imagine that doing this would be pretty easy: you write a deployment that has a pod with the Jenkins image and you already have it (apart from installing plugins and configuring it). But what if I want to build images inside a pipeline?

Well, then you need the Docker CLI or Docker plugin for Jenkins. But these, in turn, need a Docker daemon to be able to make the corresponding requests. Things start getting complicated.

In this post we are going to explore, step by step, different approaches to deploying Jenkins with Docker in Kubernetes, and explain the evolution of each one.

Deployments

1. Docker in Docker

The most straightforward deployment is simply installing a Docker daemon. You take the Jenkins base image, install the Docker Engine, and create a custom image with both programs. Done!

This is possible; you can try it and it works. But it has certain implications that make it a bad option:

• Storage drivers: This problem arises from incompatibilities between different container file systems. Without going into detail, the containers use their own file systems (AUFS, BTRFS, Device Mapper, etc.) and these may not be compatible with each other. Depending on the type of system used by the node's container runtime and that used by the container's Docker daemon, problems can occur. These incompatibilities will probably be resolved as new versions of DinD (Docker in Docker) are released, but the risk remains latent.
• Cache: If you want to use the Docker cache, which you probably will, and you want this cache to be accessible between different replicas, you should mount /var/lib/docker as a volume in each container. But Docker is intended to have exclusive access to this directory, and having two or more daemons accessing it at the same time can lead to data corruption problems.
• Security: In order to run the Docker daemon inside a container, it must be run with privileges (--privileged in Docker or securityContext.privileged: true in Kubernetes). It is a requirement. This implies serious security risks, which we explain in this post.

docker kubernetes jenkins k8s privileged

Our original Kubernetes tool list was so popular that we've curated another great list of tools to help you improve your functionality with the platform.

Get Hands-on experience on Kubernetes and the best comparison of Kubernetes over the DevOps at your place at Kubernetes training

Following the second video about Docker basics, in this video, I explain Docker architecture and explain the different building blocks of the docker engine; docker client, API, Docker Daemon. I also explain what a docker registry is and I finish the video with a demo explaining and illustrating how to use Docker hub.

As a DevOps engineer at Cloudify.co, I am building a new CI/CD pipeline based on Kubernetes and Jenkins. Recently I was dealing with the existent backup mechanism for Jenkins which stopped to work and I was in need of another solution. In this post, I will share my solution.

Yep, you read it right…the Docker Certified Associate (DCA) certification has changed so much recently that the majority of the exam is now about Kubernetes.There’s plenty of material online for those preparing to take this exam, so I’ll just share my experience and hopefully shed some light on how to study for it.