惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Cloudbric
Cloudbric
E
Exploit-DB.com RSS Feed
SecWiki News
SecWiki News
Forbes - Security
Forbes - Security
N
News | PayPal Newsroom
S
Security @ Cisco Blogs
Schneier on Security
Schneier on Security
V
V2EX - 技术
S
Secure Thoughts
W
WeLiveSecurity
Google DeepMind News
Google DeepMind News
C
CERT Recently Published Vulnerability Notes
NISL@THU
NISL@THU
S
Securelist
S
Security Archives - TechRepublic
Know Your Adversary
Know Your Adversary
V
Vulnerabilities – Threatpost
Security Latest
Security Latest
Recent Commits to openclaw:main
Recent Commits to openclaw:main
G
GRAHAM CLULEY
H
Hacker News: Front Page
Microsoft Azure Blog
Microsoft Azure Blog
I
Intezer
Google Online Security Blog
Google Online Security Blog
美团技术团队
阮一峰的网络日志
阮一峰的网络日志
T
The Exploit Database - CXSecurity.com
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Webroot Blog
Webroot Blog
Jina AI
Jina AI
Engineering at Meta
Engineering at Meta
P
Proofpoint News Feed
The Cloudflare Blog
I
InfoQ
L
LangChain Blog
U
Unit 42
P
Proofpoint News Feed
S
Schneier on Security
S
Security Affairs
Y
Y Combinator Blog
T
Tenable Blog
N
News and Events Feed by Topic
MyScale Blog
MyScale Blog
量子位
Google DeepMind News
Google DeepMind News
Cyberwarzone
Cyberwarzone
博客园 - 聂微东
D
Darknet – Hacking Tools, Hacker News & Cyber Security
GbyAI
GbyAI
AWS News Blog
AWS News Blog

RapidFort Blog

RapidFort Test Blog Blog 4 Test Test Blog 3 Test 2 Mythos Vulnerability Assessment: Eliminate Real Risk, Not Just CVEs Securing Modern AI Workloads for National Security RBOM vs SBOM: The Critical Difference Between Software Inventory and Runtime Reality The Remediation Gap: When AI-Powered Discovery Outpaces Human Defense You Only Control 15% of Your Software. Here's How to Secure the Rest. Free ATO Readiness Cohort: Shorten Your Path to Federal Market US Cyber Strategy & Software Supply Chain Security EU CRA for Containers & Kubernetes: Scope, Deadlines & Steps PyPI, npm, and the New Frontline of Software Supply Chain Attacks GitHub Actions Security Audit: CI/CD Risk & Shell Injection What Is RBOM™? Runtime Bill of Materials vs SBOM Explained EU Cyber Resilience Act & Open Source Risk RapidFort Raises $42M Series A for Software Supply Chain Security Fintech Container Security 2026: SASM & RBOM™ RF Analyzer: Precision Container CVE Intelligence AI-Powered Cyberattacks: How Defenders Must Adapt RapidFort Pioneered DoD Container Hardening | Industry Standard Turn Scanner Output into Verified CVE Elimination RapidFort's Giant Washing Machine: Cleaning Open Source at Scale Why SBOMs Fail: RBOM™ & Near-Zero CVE Images Fix the Gap Defeat NPM Supply Chain Worms: Near-Zero CVE Defense Bitnami & Chainguard Alternatives: Free Near-Zero CVE Images Runtime Profiling: Eliminate up to 99.9% of Container CVEs Flow Defending: AI-Speed Container Hardening & Runtime Visibility AI in Software Supply Chain Security: Defense vs Attackers SBOM vs RBOM™: Why Runtime Bill of Materials Wins AI-Powered Container Stack: Built, Hardened & Defended AI-Generated Code Vulnerabilities: Runtime Defense for Containers Container Vulnerability Management Reimagined | RBOM™ 35,000+ Near-Zero CVE Images: FIPS, STIG & AI-Era Standard RBOM™ Runtime Intelligence: Cut CVE Noise & Improve Accuracy EU Vulnerability Database (EUVD): Impact on CVE Management Critical Infrastructure Cyber Resilience: Near-Zero CVE DoD Software Procurement: SWIFT, cATO & Container Security Stop Fixing CVEs One by One: Eliminate up to 99.9% Before Production Break the Patch-and-Pray Cycle: Proactive CVE Management Beyond FedRAMP Checklists: Continuous CVE Elimination Why RapidFort Outperforms the Competition: The Future of Secure Containers FedRAMP Fast-Track: Near-Zero CVE Images & Zero Patching Hidden Costs of Manual CVE Elimination | Automate with RapidFort PCI DSS, SOC 2, FedRAMP & HIPAA Compliance via CVE Elimination Emerging Cyber Threats 2024: Protect Containers with RapidFort Container Supply Chain Security: From Source to Deployment Build a Robust Security Stack with RapidFort's SASM Platform Securing Containerized Environments: Best Practices Identify & Eliminate Common App Vulnerabilities in 3 Steps Near-Zero CVE Blueprint: Securing Your Software Supply Chain Eliminate up to 99.9% of Container CVEs in 3 Steps | No Code Changes DoD Innovation: SpaceWERX, AFWERX & Defense Tech Firsthand Developer Security Training Do's & Don'ts Top 5 Software Security Myths Debunked AI-Generated Code Security Risks: CEO Insights Using AI in Software Development: Security Tips & Considerations RapidFort Wins Intellyx Digital Innovator Award | Runtime Security 3 Tips to Conquer CVE Alert Fatigue Mature DevSecOps Teams: Key Traits & Security Best Practices Top 3 Software Security Trends 2024: AI, Compliance & SASM Software Security Budgeting 2024: Eliminate CVEs by up to 99.9% & Measure ROI RapidFort 2023 Year in Review: Milestones & Container Security Wins OSS Vulnerability Scanning & Container Hardening RapidFort Joins Microsoft Pegasus Program | Container Security Runtime Container Protection: 90% Attack Surface Reduction Black Hat USA 2023: AI, CISO Trends & Cybersecurity Insights SOC 2 Type 2 Compliance for Container Security RapidFort Achieves SOC 2 Type 2 | Enterprise Security Validated Common Container Security Risks & How to Fix Them 6 Steps to Securing Your Software Supply Chain Harden Containers with Coverage Scripts & RBOM™ Profiling Container Vulnerability Management Best Practices Minimize Software Attack Surface | RBOM™-Powered SASM Docker Container Security Best Practices 2023 | Harden & Scan What Is Container Hardening? Reduce CVEs & Meet Compliance | Guide Securing Popular Docker Containers: Up to 80% Attack Surface Cut How RapidFort Secures Its Own Containers | Dogfooding DevSecOps Why Container Security Tools Fail: Scan vs Eliminate Hidden OSS Trade-Offs: Container Bloat, CVEs & Security Debt OSS Patch Management: Eliminate Container Bloat & CVEs OpenSSL Vulnerability: Scan, Harden & Reduce Risk in Containers Harden Hundreds of Containers Today for Free Customs Bridge Automates CVE Elimination with RapidFort SAST vs DAST vs IAST: Limitations for Container OSS Security Delete 78% of Your Redis Container - It Still Works 100% Free Tool: Copy AMIs to AWS GovCloud Fast | Open-Source Script Stop Chasing CVEs: Smarter Container Test Cycles Why CVSS Severity Alone Fails: Use Exploit Probability The Limits of Shift Left: How Software Optimization Fills the Gap Software Supply Chain Security with SCA Scanning What Is Software Supply Chain Risk? Causes & How to Mitigate It Reduce Container Bloat: Remove Unused Components & Cut CVEs What Is Software Optimization? RBOM™ vs SBOM Explained Log4j Response: Harden Containers Now Before the Next Patch
Kimia: Secure Kaniko Alternative for Kubernetes Builds
Jacob Mammoliti · 2025-12-02 · via RapidFort Blog

The landscape of container image building has undergone significant changes in 2025. With Google's archival of Kaniko in June 2025, organizations that relied on building container images inside Kubernetes clusters found themselves searching for alternatives that could deliver both security and performance. Enter Kimia: RapidFort's answer to the evolving needs of secure, non-root container image building.

RapidFort, a company deeply rooted in open-source principles and container security, released Kimia as an open-source project designed to address the limitations teams encountered with Kaniko. Rather than building yet another image builder from scratch, RapidFort took a pragmatic approach: Kimia provides a unified, Kubernetes-native interface that leverages two proven build engines - Buildah and BuildKit - giving teams the flexibility to choose the backend that best fits their requirements.

In this post, we'll explore how Kimia works, walk through a practical example of building a Python FastAPI application with nightly builds and multi-architecture support, and demonstrate built-in image signing capabilities.

The State of Container Image Building in 2025

Kaniko's Legacy and Transition

When Google introduced Kaniko in 2018, it solved a critical problem: how to build container images inside Kubernetes without requiring privileged access to the Docker daemon. For years, Kaniko became the de facto standard for secure CI/CD pipelines, particularly in regulated industries like finance and defense.

In June, Google officially archived the Kaniko project. While community forks have emerged to provide maintenance patches, the lack of Google's backing and ongoing feature development prompted many organizations to evaluate modern alternatives that offered active development, enhanced security features, and long-term sustainability.

The Rise of Modern Alternatives

Two tools emerged as the primary successors to Kaniko:

  • BuildKit - Docker's modern build backend that powers docker build commands since Docker 18.09. BuildKit introduces intelligent build optimizations like parallel execution through directed acyclic graphs (DAGs), advanced caching strategies, and native multi-platform build support. It's actively developed and represents the current state-of-the-art in container image building.
  • Buildah - Red Hat's daemonless OCI image builder that specializes in rootless container operations. Buildah offers fine-grained control over the build process, excellent security posture through user namespace isolation, and a command set that mirrors Dockerfile instructions while also supporting scriptable builds.

Both tools offer compelling advantages, but each has its own operational characteristics and trade-offs. Organizations often find themselves choosing based on factors like existing infrastructure, team expertise, and specific security requirements.

Introducing Kimia: The Best of Both Worlds

RapidFort recognized that different teams have different needs. Rather than forcing a single approach, Kimia provides a Kubernetes-native interface with two flavors:

  • Kimia with Buildah backend - Optimized for teams requiring strict rootless operations and fine-grained control
  • Kimia with BuildKit backend - Optimized for teams prioritizing build speed and advanced caching features

By default, Kimia uses BuildKit as its build engine, but teams can easily switch to Buildah when their security posture or operational requirements demand it. This flexibility means organizations can standardize on Kimia while still choosing the best backend for each specific use case.

Key Features

Key features that Kimia brings to the table:

  • Kubernetes-native design: Runs as standard Kubernetes workloads without special privileges
  • User namespace isolation: Leverages kernel features for enhanced security
  • Unified interface: Consistent API regardless of backend choice
  • Built-in signing support: Native integration with Cosign for supply chain security
  • Multi-architecture builds: Support for linux/amd64, linux/arm64, and other platforms
  • Familiar syntax: Compatible with existing Kaniko workflows for easy migration

Building Images with Kimia: A Practical Example

Let's walk through a real-world scenario: setting up a Kubernetes CronJob that automatically builds a Python FastAPI application every morning at 2 AM, incorporating the latest code from the main branch.

Basic Build Configuration

Here's a complete Kubernetes CronJob manifest that demonstrates Kimia's core capabilities:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: kimia-python-fastapi-build
  namespace: builds
spec:
  schedule: "0 2 * * *"  # Daily at 2 AM UTC
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
            fsGroup: 1000
          containers:
          - name: kimia
            image: ghcr.io/rapidfort/kimia:latest
            args:
            - --context=https://github.com/rapidfort/rapidfort-samples.git
            - --context-sub-path=python-fastapi
            - --dockerfile=Dockerfile
            - --destination=ghcr.io/myorg/python-fastapi:$(date +%Y%m%d)
            securityContext:
              allowPrivilegeEscalation: true
              capabilities:
                drop: [ALL]
                add: [SETUID, SETGID]
              appArmorProfile:
                type: Unconfined
              seccompProfile:
                type: Unconfined
            volumeMounts:
            - name: docker-config
              mountPath: /home/kimia/.docker
              readOnly: true
          volumes:
          - name: docker-config
            secret:
              secretName: ghcr-credentials
              items:
              - key: .dockerconfigjson
                path: config.json

Understanding the Security Context

Let's break down the security configuration, which is critical for understanding how Kimia achieves secure builds:

Pod-level security:

  • runAsNonRoot: true - Ensures the entire pod runs without root privileges
  • runAsUser: 1000 - Explicitly sets the user ID for all containers
  • fsGroup: 1000 - Sets the filesystem group for volume permissions

Container-level security:

  • allowPrivilegeEscalation: true - Required for user namespace operations
  • capabilities: drop: [ALL] - Removes all Linux capabilities by default
  • capabilities: add: [SETUID, SETGID] - Adds only the minimal capabilities needed for user namespace mapping
  • appArmorProfile: Unconfined - Allows user namespace creation (some clusters may need custom profiles)
  • seccompProfile: Unconfined - Permits the syscalls required for containerized builds

This configuration represents a security-conscious middle ground: it avoids running as root while still enabling the kernel features necessary for isolated container image building.

Multi-Architecture Build Support

Modern applications often need to run on diverse hardware - from x86 servers in traditional data centers to ARM-based instances on AWS Graviton or Azure Ampere. Kimia makes multi-architecture builds straightforward:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: kimia-multiarch-build
  namespace: builds
spec:
  schedule: "0 2 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
            fsGroup: 1000
          containers:
          - name: kimia
            image: ghcr.io/rapidfort/kimia:latest
            args:
            - --context=https://github.com/rapidfort/rapidfort-samples.git
            - --context-sub-path=python-fastapi
            - --dockerfile=Dockerfile
            - --destination=ghcr.io/myorg/python-fastapi:$(date +%Y%m%d)
            - --custom-platform=linux/amd64,linux/arm64
            securityContext:
              allowPrivilegeEscalation: true
              capabilities:
                drop: [ALL]
                add: [SETUID, SETGID]
              appArmorProfile:
                type: Unconfined
              seccompProfile:
                type: Unconfined
            volumeMounts:
            - name: docker-config
              mountPath: /home/kimia/.docker
              readOnly: true
          volumes:
          - name: docker-config
            secret:
              secretName: ghcr-credentials
              items:
              - key: .dockerconfigjson
                path: config.json

The --custom-platform flag tells Kimia to build for both amd64 and arm64 architectures. The resulting image manifest will contain variants for each platform, and container runtimes will automatically select the appropriate architecture when pulling the image.

Built-in Image Signing and Attestation

Supply chain security has become paramount in 2025. High-profile incidents like SolarWinds and the Log4Shell vulnerability demonstrated how attackers target not just applications but the entire build and delivery pipeline. Image signing provides cryptographic proof that an image came from a trusted source and hasn't been tampered with.

Kimia integrates natively with Cosign, the CNCF project for signing and verifying container images. Here's how to add signing to your build:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: kimia-signed-build
  namespace: builds
spec:
  schedule: "0 2 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
            fsGroup: 1000
          containers:
          - name: kimia
            image: ghcr.io/rapidfort/kimia:latest
            args:
            - --context=https://github.com/rapidfort/rapidfort-samples.git
            - --context-sub-path=python-fastapi
            - --dockerfile=Dockerfile
            - --destination=ghcr.io/rapidfort/python-fastapi:$(date +%Y%m%d)
            - --custom-platform=linux/amd64,linux/arm64
            - --sign
            - --attestation=max
            - --cosign-key=/secrets/cosign.key
            - --cosign-password-env=COSIGN_PASSWORD
            env:
            - name: COSIGN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: cosign-credentials
                  key: password
            securityContext:
              allowPrivilegeEscalation: true
              capabilities:
                drop: [ALL]
                add: [SETUID, SETGID]
              appArmorProfile:
                type: Unconfined
              seccompProfile:
                type: Unconfined
            volumeMounts:
            - name: cosign-key
              mountPath: /secrets
              readOnly: true
            - name: docker-config
              mountPath: /home/kimia/.docker
              readOnly: true
          volumes:
          - name: cosign-key
            secret:
              secretName: cosign-credentials
              items:
              - key: cosign.key
                path: cosign.key
          - name: docker-config
            secret:
              secretName: ghcr-credentials
              items:
              - key: .dockerconfigjson
                path: config.json

Understanding the Signing Parameters

  • --sign - Enables image signing after the build completes
  • --attestation=max - Generates a full SBOM and detailed provenance
  • --cosign-key - Points to your Cosign private key
  • --cosign-password-env - References an environment variable containing the key password, sourced from a Kubernetes secret

Best Practices for Production Deployments

Based on real-world deployments, here are key recommendations:

Security

  • Always run with user namespaces enabled - This provides an additional isolation layer
  • Use short-lived credentials - Rotate registry credentials regularly and consider OIDC-based authentication where possible
  • Implement network policies - Restrict build pods to only necessary egress destinations
  • Scan images post-build - Integrate vulnerability scanning into your pipeline before promotion

Reliability

  • Set appropriate resource requests and limits - Build workloads can be resource-intensive
  • Use PersistentVolumeClaims for cache - When building frequently, persistent cache storage significantly improves performance
  • Implement retry logic - Network issues and transient failures happen; build your automation to handle them gracefully
  • Monitor build metrics - Track build times, success rates, and resource utilization

Maintainability

  • Standardize on base images - Use a curated set of base images to improve caching and security posture
  • Version your build configurations - Store CronJob and Job manifests in version control
  • Document architecture decisions - Clearly document why you chose specific backends or configurations

Looking Forward

The container image building landscape continues to evolve. With Kaniko's transition to community maintenance and the maturation of tools like BuildKit and Buildah, we're seeing a consolidation around more secure, performant, and flexible approaches.

Kimia represents this new generation of build tools: secure by default, flexible by design, and built with real-world Kubernetes deployments in mind. By providing a unified interface to multiple backends, it gives teams the freedom to choose the best tool for each job without sacrificing operational consistency.

Whether you're migrating from Kaniko, building a new CI/CD pipeline, or looking to improve your supply chain security posture, Kimia offers a production-ready solution that balances security, performance, and developer experience.

Getting Started

Ready to try Kimia in your environment? Visit the project's GitHub repository: https://github.com/rapidfort/kimia

The Kimia project welcomes contributions, bug reports, and feature requests. As an open-source project maintained by RapidFort, it benefits from both community involvement and professional support options for enterprises that need them.

Conclusion

Building container images securely in Kubernetes doesn't have to be complicated. With Kimia, you get the benefits of modern build engines like BuildKit and Buildah wrapped in a Kubernetes-native interface that prioritizes security without sacrificing functionality.

As we move further into the end of 2025 and into 2026, supply chain security will only become more critical. Tools like Kimia that bake signing, attestation, and rootless operation into their core design will be essential building blocks for secure software delivery pipelines.

Whether you're running a handful of services or orchestrating builds for hundreds of microservices, Kimia provides the flexibility, security, and performance needed for production container image building in modern Kubernetes environments.

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。