Tekton is how Kubernetes orchestrates CI/CD.
Here’s a simple pipeline that checks out code, runs a linter, and then builds a Docker image.
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
name: build-and-push
spec:
tasks:
- name: checkout
taskRef:
name: git-clone
params:
- name: url
value: https://github.com/your-repo/your-project.git
- name: lint
taskRef:
name: npm-install-and-lint
runAfter:
- checkout
- name: build-image
taskRef:
name: buildah-build
runAfter:
- lint
params:
- name: IMAGE
value: docker.io/your-dockerhub-user/your-image:latest
This pipeline uses three pre-built Tekton Tasks: git-clone, npm-install-and-lint, and buildah-build. Tekton’s core strength is its composability. You define a Pipeline as a sequence of Tasks, and each Task can reuse existing, community-contributed, or custom-built Tasks.
Let’s break down how this works. The git-clone task, for example, likely uses a PipelineResource of type git (though newer versions might directly use parameters for repo URLs) to fetch the code. The npm-install-and-lint task would then execute npm ci && npm run lint within a container. Finally, buildah-build would use Buildah to create a Docker image from your source code. The runAfter field ensures tasks execute in the correct order.
The real power comes from how Tekton integrates with Kubernetes. Each task in a pipeline runs as a Kubernetes Pod. This means you get all the benefits of Kubernetes for your CI/CD: scalability, resilience, and declarative configuration. You can define Resources (like Git repositories or Docker images) and Workspaces (shared volumes for tasks) to manage inputs and outputs.
Here’s a PipelineRun to actually execute our build-and-push pipeline:
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: build-and-push-run-1
spec:
pipelineRef:
name: build-and-push
resources:
- name: source-repo # This would typically be defined in the Pipeline too, but for simplicity...
resourceRef:
name: my-git-repo
params: # Overriding or providing pipeline parameters
- name: IMAGE
value: docker.io/your-dockerhub-user/your-image:v1.0.0
This PipelineRun tells Tekton to execute the build-and-push pipeline. It can also specify params to override defaults and resources to point to specific Git repositories or image registries. The result is a set of Pods spun up by Kubernetes, executing your CI/CD steps.
The most surprising thing about Tekton is that it treats CI/CD as a first-class Kubernetes API. Instead of installing a separate CI/CD tool that then talks to Kubernetes, Tekton is the CI/CD tool, built on Kubernetes. This means you don’t have a separate control plane to manage; your CI/CD infrastructure lives alongside your applications.
To get this running, you’d typically install the Tekton Pipelines controller into your Kubernetes cluster. Then, you’d define your Tasks and Pipelines as Kubernetes Custom Resources. A PipelineRun object then triggers the execution. For authentication to Docker registries, you’d typically create a Kubernetes Secret of type docker-registry and reference it in your Task definition, often via ServiceAccount annotations or directly as a parameter.
The core concept is that Tasks are the building blocks, and Pipelines are the orchestrations of those blocks. PipelineRuns are the instances of execution. This abstraction allows for a highly modular and reusable CI/CD system. You can build a library of common tasks (e.g., build-java-app, deploy-to-gke, scan-image-for-vulns) and then assemble them into different pipelines for various projects.
When a PipelineRun is created, Tekton’s controller watches for it. For each task in the pipeline, it creates a TaskRun object, which in turn provisions a Pod. These Pods mount Workspaces (which are PersistentVolumeClaims or emptyDir volumes) to share data between steps, like build artifacts. The runAfter dependencies are managed by the controller, ensuring tasks only start when their predecessors complete successfully.
A subtle but powerful aspect is how Tekton handles configuration and secrets. Instead of embedding sensitive information directly in pipeline definitions, you leverage Kubernetes Secrets and ConfigMaps. These can be mounted as volumes or exposed as environment variables to your task containers. Furthermore, Tekton allows you to associate ServiceAccounts with Tasks or PipelineRuns, granting specific IAM permissions for cloud resources, like pushing to an ECR or GCR repository, without needing to embed cloud credentials in your CI jobs.
The next evolution in your Tekton journey will involve exploring Triggers, which allow you to initiate PipelineRuns based on external events like Git pushes or GitHub pull requests.