I'm trying to build Docker images without a privileged builder, therefore DinD is not an option.
I found now two ways of achieving that with either kaniko or img.
Both of them work in my local Docker setup and achieve that goal:
docker run --rm -it --cap-drop=all --cap-add=setuid --cap-add=setgid \
--name img \
--volume "$(pwd):/home/user/src:ro" \
--workdir /home/user/src \
--security-opt seccomp=unconfined \
--security-opt apparmor=unconfined \
r.j3ss.co/img:v0.5.11 build -t user/myimage .
docker run --rm -it --cap-add=chown --cap-add=fowner --cap-add=setgid --cap-add=setuid --cap-add=dac_override \
--name kaniko \
-v "$(pwd):/workspace:ro" \
gcr.io/kaniko-project/executor:v1.7.0 \
--dockerfile /workspace/Dockerfile \
--context dir:///workspace/ \
--no-push
The img image runs the builder process inside with a non-root user with uid 1000 but requires seccomp and apparmor settings, whereas the kaniko container runs the builder process inside as root user, but doesn't need seccomp and apparmor changes.
I wonder now which is considered more secure, running a container where the process inside is run by the root user or running a container with a normal user but running with seccomp=unconfined and apparmor=unconfined.
Would be really great if someone could help me out with that and give me some clues.
My gut is telling me kaniko seems more secure because from what I understand, disabling the default seccomp and apparmor profiles has a bigger impact.
Thanks in advance.
