Chainguard enthusiastically supports donating ko to CNCF

ko is a powerful and simple tool for building container images for Go applications. It was created at Google, and has gained solid adoption for its focus on simplicity, performance and security.

‍

Two of the three core maintainers of ko, Matt Moore and Jason Hall, now work at Chainguard, and we're excited to support Google's announcement that it has decided to propose ko for donation to the CNCF.

‍

History

ko was created at Google in 2018 to provide Go developers targeting Kubernetes with a tool that built on the intuition and muscle memories of Go and Kubernetes development. The experience we sought for ko was to make it so that Go developers could develop applications as if Kubernetes were just running their Go program, without worrying about containers.

‍

Fitting the trend that the best tools are those built to solve your own pain, ko was originally developed to replace the existing developer workflow for the then-new Knative project. Knative developers needed a tool to quickly iterate on their Kubernetes controllers written in Go, and nothing existed at the time that fit their needs well.

‍

The status quo at the time – docker build and Dockerfiles – was slow, cumbersome, and required complicated templating to update Kubernetes YAML manifests with newly built image references. Orchestrating multiple image builds was difficult.

‍

Knative originally used Google's Bazel build tool, which was at the time used by Kubernetes and Istio, among many others, along with custom rules like rules_docker and rules_k8s. This made orchestrating multiple builds and referencing the result in YAML manifests easy, but managing the Bazel tool and navigating Bazel's build language proved difficult. Knative’s contributors were feeling this pain and sought an alternative to reduce the barrier to contribution. Over time, Kubernetes and Istio would migrate off of Bazel as well.

‍

Behind all this complexity, all this tooling was just running go build on the source tree, putting the result in a container image and pushing it to a registry, and updating some templated YAML with the newly built image references. A lot of machinery was involved with that otherwise simple task. There had to be a better way.

‍

And that's how ko was born, built to the specific requirements of the Knative project's use case, around performance and ease of use.

‍

Adoption

Over the years, other features were added to ko: multi-platform builds including support for Windows images, automatic SBOM generation supporting both SPDX and CycloneDX formats, and steady improvements in performance.

‍

Through it all, ko has maintained a focus on making security the default:

‍

• ko uses a minimal non-root base image by default (built using Chainguard's apko!)

• ko generates SBOMs for all images by default

• ko doesn't require a Docker daemon to build images, making it a safer option for container-based CI platforms like Tekton

• Kubernetes YAML manifests generated by ko include image references by digest, preventing tag update attacks

‍

Being a developer tool mainly built by the developers that needed it, not a lot of thought was ever given to "product strategy" or maximizing adoption.And yet, being a generally useful tool, word of mouth spread and adoption followed.

‍

When Tekton spun out of the Knative Build effort in 2019, ko continued to be its image build tool of choice. In the ensuing years, other projects like Shipwright, AWS's Karpenter, and most recently Kyverno have used ko to improve their developer productivity. Every image built from Go source at Chainguard is built using ko.

‍

Earlier this year, Skaffold added support for ko builds as an alpha feature. Chainguard has recently started developing a ko provider for Terraform, enabling ko-built images to be integrated into even more non-Kubernetes use cases.

‍

Future

Today, Google has announced its intention to propose ko as a CNCF Sandbox project, and we at Chainguard could not be happier at the announcement. This is just the next exciting step for ko, and we're excited to share what's next with the community.

‍

Chainguard intends to continue our investment in and stewardship of the ko project, and are excited to contribute the docs website at https://ko.build, the GitHub Actions installer, and Terraform provider for ko to ko's new GitHub organization. Our hope is that ko's user base and community will continue to thrive under the CNCF umbrella, and give us more opportunities to grow and flourish.

‍

If you use ko, we hope to make this transition as smooth as possible. Please reach out on the #ko-project channel in the Kubernetes Slack if you have any questions, or if you'd like to collaborate on any future TikToks! :)