Kimia: Secure and Efficient Container Image Building in Kubernetes

The landscape of container image building has undergone significant changes in 2025. With Google's archival of Kaniko in June 2025, organizations that relied on building container images inside Kubernetes clusters found themselves searching for alternatives that could deliver both security and performance. Enter Kimia: RapidFort's answer to the evolving needs of secure, non-root container image building.

RapidFort, a company deeply rooted in open-source principles and container security, released Kimia as an open-source project designed to address the limitations teams encountered with Kaniko. Rather than building yet another image builder from scratch, RapidFort took a pragmatic approach: Kimia provides a unified, Kubernetes-native interface that leverages two proven build engines - Buildah and BuildKit - giving teams the flexibility to choose the backend that best fits their requirements.

In this post, we'll explore how Kimia works, walk through a practical example of building a Python FastAPI application with nightly builds and multi-architecture support, and demonstrate built-in image signing capabilities.

The State of Container Image Building in 2025

Kaniko's Legacy and Transition

When Google introduced Kaniko in 2018, it solved a critical problem: how to build container images inside Kubernetes without requiring privileged access to the Docker daemon. For years, Kaniko became the de facto standard for secure CI/CD pipelines, particularly in regulated industries like finance and defense.

In June, Google officially archived the Kaniko project. While community forks have emerged to provide maintenance patches, the lack of Google's backing and ongoing feature development prompted many organizations to evaluate modern alternatives that offered active development, enhanced security features, and long-term sustainability.

The Rise of Modern Alternatives

Two tools emerged as the primary successors to Kaniko:

• BuildKit - Docker's modern build backend that powers docker build commands since Docker 18.09. BuildKit introduces intelligent build optimizations like parallel execution through directed acyclic graphs (DAGs), advanced caching strategies, and native multi-platform build support. It's actively developed and represents the current state-of-the-art in container image building.
• Buildah - Red Hat's daemonless OCI image builder that specializes in rootless container operations. Buildah offers fine-grained control over the build process, excellent security posture through user namespace isolation, and a command set that mirrors Dockerfile instructions while also supporting scriptable builds.

Both tools offer compelling advantages, but each has its own operational characteristics and trade-offs. Organizations often find themselves choosing based on factors like existing infrastructure, team expertise, and specific security requirements.

Introducing Kimia: The Best of Both Worlds

RapidFort recognized that different teams have different needs. Rather than forcing a single approach, Kimia provides a Kubernetes-native interface with two flavors:

• Kimia with Buildah backend - Optimized for teams requiring strict rootless operations and fine-grained control
• Kimia with BuildKit backend - Optimized for teams prioritizing build speed and advanced caching features

By default, Kimia uses BuildKit as its build engine, but teams can easily switch to Buildah when their security posture or operational requirements demand it. This flexibility means organizations can standardize on Kimia while still choosing the best backend for each specific use case.

Building Images with Kimia: A Practical Example

Let's walk through a real-world scenario: setting up a Kubernetes CronJob that automatically builds a Python FastAPI application every morning at 2 AM, incorporating the latest code from the main branch.

Basic Build Configuration

Here's a complete Kubernetes CronJob manifest that demonstrates Kimia's core capabilities:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: kimia-python-fastapi-build
  namespace: builds
spec:
  schedule: "0 2 * * *"  # Daily at 2 AM UTC
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
            fsGroup: 1000
          containers:
          - name: kimia
            image: ghcr.io/rapidfort/kimia:latest
            args:
            - --context=https://github.com/rapidfort/rapidfort-samples.git
            - --context-sub-path=python-fastapi
            - --dockerfile=Dockerfile
            - --destination=ghcr.io/myorg/python-fastapi:$(date +%Y%m%d)
            securityContext:
              allowPrivilegeEscalation: true
              capabilities:
                drop: [ALL]
                add: [SETUID, SETGID]
              appArmorProfile:
                type: Unconfined
              seccompProfile:
                type: Unconfined
            volumeMounts:
            - name: docker-config
              mountPath: /home/kimia/.docker
              readOnly: true
          volumes:
          - name: docker-config
            secret:
              secretName: ghcr-credentials
              items:
              - key: .dockerconfigjson
                path: config.json

Multi-Architecture Build Support

Modern applications often need to run on diverse hardware - from x86 servers in traditional data centers to ARM-based instances on AWS Graviton or Azure Ampere. Kimia makes multi-architecture builds straightforward:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: kimia-multiarch-build
  namespace: builds
spec:
  schedule: "0 2 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
            fsGroup: 1000
          containers:
          - name: kimia
            image: ghcr.io/rapidfort/kimia:latest
            args:
            - --context=https://github.com/rapidfort/rapidfort-samples.git
            - --context-sub-path=python-fastapi
            - --dockerfile=Dockerfile
            - --destination=ghcr.io/myorg/python-fastapi:$(date +%Y%m%d)
            - --custom-platform=linux/amd64,linux/arm64
            securityContext:
              allowPrivilegeEscalation: true
              capabilities:
                drop: [ALL]
                add: [SETUID, SETGID]
              appArmorProfile:
                type: Unconfined
              seccompProfile:
                type: Unconfined
            volumeMounts:
            - name: docker-config
              mountPath: /home/kimia/.docker
              readOnly: true
          volumes:
          - name: docker-config
            secret:
              secretName: ghcr-credentials
              items:
              - key: .dockerconfigjson
                path: config.json

Built-in Image Signing and Attestation

Supply chain security has become paramount in 2025. High-profile incidents like SolarWinds and the Log4Shell vulnerability demonstrated how attackers target not just applications but the entire build and delivery pipeline. Image signing provides cryptographic proof that an image came from a trusted source and hasn't been tampered with.

Kimia integrates natively with Cosign, the CNCF project for signing and verifying container images. Here's how to add signing to your build:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: kimia-signed-build
  namespace: builds
spec:
  schedule: "0 2 * * *"
  jobTemplate:
    spec:
      template:
        spec:
          restartPolicy: Never
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
            fsGroup: 1000
          containers:
          - name: kimia
            image: ghcr.io/rapidfort/kimia:latest
            args:
            - --context=https://github.com/rapidfort/rapidfort-samples.git
            - --context-sub-path=python-fastapi
            - --dockerfile=Dockerfile
            - --destination=ghcr.io/rapidfort/python-fastapi:$(date +%Y%m%d)
            - --custom-platform=linux/amd64,linux/arm64
            - --sign
            - --attestation=max
            - --cosign-key=/secrets/cosign.key
            - --cosign-password-env=COSIGN_PASSWORD
            env:
            - name: COSIGN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: cosign-credentials
                  key: password
            securityContext:
              allowPrivilegeEscalation: true
              capabilities:
                drop: [ALL]
                add: [SETUID, SETGID]
              appArmorProfile:
                type: Unconfined
              seccompProfile:
                type: Unconfined
            volumeMounts:
            - name: cosign-key
              mountPath: /secrets
              readOnly: true
            - name: docker-config
              mountPath: /home/kimia/.docker
              readOnly: true
          volumes:
          - name: cosign-key
            secret:
              secretName: cosign-credentials
              items:
              - key: cosign.key
                path: cosign.key
          - name: docker-config
            secret:
              secretName: ghcr-credentials
              items:
              - key: .dockerconfigjson
                path: config.json

Best Practices for Production Deployments

Based on real-world deployments, here are key recommendations:

Looking Forward

The container image building landscape continues to evolve. With Kaniko's transition to community maintenance and the maturation of tools like BuildKit and Buildah, we're seeing a consolidation around more secure, performant, and flexible approaches.

Kimia represents this new generation of build tools: secure by default, flexible by design, and built with real-world Kubernetes deployments in mind. By providing a unified interface to multiple backends, it gives teams the freedom to choose the best tool for each job without sacrificing operational consistency.

Whether you're migrating from Kaniko, building a new CI/CD pipeline, or looking to improve your supply chain security posture, Kimia offers a production-ready solution that balances security, performance, and developer experience.

Getting Started

Ready to try Kimia in your environment? Visit the project's GitHub repository: https://github.com/rapidfort/kimia

The Kimia project welcomes contributions, bug reports, and feature requests. As an open-source project maintained by RapidFort, it benefits from both community involvement and professional support options for enterprises that need them.

Conclusion

Building container images securely in Kubernetes doesn't have to be complicated. With Kimia, you get the benefits of modern build engines like BuildKit and Buildah wrapped in a Kubernetes-native interface that prioritizes security without sacrificing functionality.

As we move further into the end of 2025 and into 2026, supply chain security will only become more critical. Tools like Kimia that bake signing, attestation, and rootless operation into their core design will be essential building blocks for secure software delivery pipelines.

Whether you're running a handful of services or orchestrating builds for hundreds of microservices, Kimia provides the flexibility, security, and performance needed for production container image building in modern Kubernetes environments.