-
It cannot build containers from Dockerfile.
-
Alternative syntax
Summmary of building containers rootlessly or by proxying
First of all, rootless and dockerless are two different concepts.
One method may not require Docker socket/dependency, but it still requrire root or some kind of root privileges or relax of security policies.
Some products can run 'rootlessly' but require some sort of privilege escalation or privieged mode.
Real rootless with no privilege esacalation and/or dockerless would be difficult to acheive if you need to use Dockerfile. There are solutions that can achieve this if you do not need to use Dockerfile.
Kubernetes 1.33 supports user namespaces by default. Just need to use hostUsers: false to opt-in. With this feature, one may be able to run as root user inside the container (root would not be mapped to the host), and escalated privileges within that container is not possible.
For building containers by proxies, the building process are shifted to the proxied product. We don’t know if it actually needs root / build with priviege setup behind the scene.
Below table tries to list out the avaliable methods and their comparison.
Product |
Needs root or not |
Needs privileged mode |
Needs privilege escalation |
Docker dependency |
Related URL |
Remark |
No |
No |
No |
No |
|
||
No |
No |
No |
No |
|
||
BuildKit |
No |
No |
No |
Kind of, developed by Docker Inc. |
|
|
Kaniko |
Needs root |
No |
(No) |
No |
|
|
Buildah (Podman same devs/very similar technology) |
No |
Yes |
(No) |
No |
|
|
Proxying with other products like Shipwright, Tekton, OpenShift BuildConfig and etc. |
No wrt. the end user |
No wrt. the end user |
No wrt. the end user |
No wrt. the end user |
|
|
Sysbox |
No |
No |
(No) |
Yes |
|