Docker images

This document provides guidelines for the Docker image provided in the context of Kyma.

Naming and structure guidelines

Place images in the Kyma Docker registry located at For development and proof of concepts, use the following location:

All images use the following attributes:

  • an image name which is the same as the related project. Do not use prefixes. If the image requires sub-modularization, append it as in "istio-mixer"
  • a tag with a semantic version number, like 0.3.2

Assume an initializer image for the Helm Broker extension. This is the example of the location and the name of the image:

Click to copy

Base images

Base all images on an image that is as small as possible in size and dependency. A base image must have a specified version. Do not use the latest tag.

An application based on Go should originate from a scratch image. If a scratch image does not have the specific tooling available, you can use an alpine base image having the package catalog updated. A JavaScript-based application should originate from an nginx-alpine base image with an updated package catalog.

Label images

All images use the source label with a link to the GitHub repository containing the sources.

Define labels as in the following example:

Click to copy
source =

Third-party images

Kyma uses some Docker images that originally were not built (and hosted) by us. For security and reliability reasons, we need to copy all external images to our own Docker registry. We have two solutions to this problem: the third-party-images repository and the image-syncer tool.

Third-party repository

If you want to rebuild the image from scratch, use the third-party-images repository. For every component, create a separate directory. You need to provide a Dockerfile, a Makefile, and create a ProwJob for building your images. See the repository content for more information.

Image syncer

If you want to "cache" an image from an external registry, use the image-syncer tool.

To copy the image to our registry, modify the external-images.yaml file. After your change is merged to the main branch, you can check the new image URL in the logs of the post-main-test-infra-image-syncer-run job.

For example, the source image grafana/grafana:7.0.6 will be transformed to". This URL can then be used in your Helm charts.


Go from scratch:

Click to copy
FROM scratch
ADD main /
CMD ["/main"]

Go from alpine:

Click to copy
FROM alpine:3.7
RUN apk --no-cache upgrade && apk --no-cache add curl
ADD main /
CMD ["/main"]

JavaScript from nginx:

Click to copy
FROM nginx:1.13-alpine
RUN apk --no-cache upgrade
COPY nginx.conf /etc/nginx/nginx.conf
COPY /build var/public
CMD ["nginx", "-g", "daemon off;"]