Kaniko Lives On: Chainguard Forks Google’s Dumped Tool
When Google quietly archived the Kaniko project earlier this month, it left a gap in the container ecosystem.
Kaniko, a tool that enables building Docker images inside Kubernetes clusters without privileged containers, has become foundational infrastructure for organizations across financial services, defense, and other regulated industries.
Recognizing the need for this tool, Chainguard immediately stepped in to fork the project, ensuring continuity for the thousands of organizations that depend on it daily, Dan Lorenc, co-founder and CEO of Chainguard, told The New Stack.
The Problem Kaniko Solved
Seven years ago, there was no way to build Docker images inside a Kubernetes cluster, Lorenc said. This created a challenge for organizations seeking to implement secure CI/CD pipelines without running privileged containers—a security risk that many enterprises couldn’t accept.
“There was no way to build Docker images inside a Kubernetes cluster at the time, so we decided to try to fix that with the ugliest, nastiest, ‘this is never going to work’-iest hack imaginable,” explained Chainguard engineer Priya Wadhwa in a blog post. Wadhwa originally created Kaniko while working on Google’s Container Tools team and now serves as senior engineering manager at Chainguard.
However, the hack worked. Not only did it solve the fundamental problem, but the team discovered ways to make Kaniko faster than traditional Docker builds in many scenarios, Lorenc said.
From Side Project to Critical Infrastructure
What started as a small side project has become what Lorenc describes as “load-bearing” infrastructure. The project has garnered widespread adoption across industries with strict security and compliance requirements.
“I’ve been somewhat shocked by the outreach after the announcement,” Lorenc said. “How many places this thing has been running over the years — critical infrastructure, regulated industries, air-gapped environments in defense and military. Multiple governments have reached out to us because they were using this thing.”
The tool’s importance became evident when Chainguard announced their fork, he said. The community response on social media showed just how many organizations had quietly integrated Kaniko into their essential workflows.
Lorenc’s LinkedIn post about the fork generated about 570 reactions.
One such reaction from Zamir Kuqo, a cloud and DevSecOps lead at Naval Information Warfare Center (NIWC) Atlantic, reads: “Kaniko has been a game changer for building container images in Kubernetes without requiring Docker privileges. Sad to see Google ending support, but huge kudos to Chainguard for stepping up with a maintained fork… ”
The Open Source Sustainability Challenge
Kaniko’s situation highlights a broader challenge in open source sustainability. The project represents what Lorenc calls the “foundational layer” of open source — mature, stable tools that don’t need constant feature development but require ongoing maintenance.
“A lot of open source projects get to this point where they’re mostly done,” Lorenc said. “There’s not a lot of feature work. They set out to do what they want to do, and they don’t need a lot of maintenance to keep them going. They need some, not zero.”
These foundational projects often fall through the cracks because they don’t generate the excitement needed for traditional funding models. Unlike newer projects with active development roadmaps and growing communities, mature tools like Kaniko need someone to “just sit there, merge the dependency bump PRs, fix any CVEs that appear, and feed and water them,” he said.
The stakes of abandonment became clear with incidents like the XZ Utils backdoor, where an abandoned project was handed off to malicious actors. “You can’t just completely abandon them,” Lorenc warns.
Chainguard’s Approach
This isn’t Chainguard’s first time adopting an abandoned open source project. The company has forked projects “half a dozen times” when vulnerabilities are discovered, but no maintainers remain to merge fixes, Lorenc said.
“Sometimes a community fork appears somewhere else later, after people find out the thing was abandoned, and then we merge ours back over to there,” he said. “Other times, we just keep it going long term if nobody else appears.”
For Kaniko, Chainguard is taking a measured approach. They’re not planning major new features — most users prefer stability over change for foundational tools, Lorenc said. Instead, the company is focusing on maintenance — keeping dependencies updated, addressing security vulnerabilities, and merging critical bug fixes.
The fork remains fully open source and upstream, not a Chainguard-exclusive project. For existing users, the transition is simple: swap the repository URL and continue as before.
Strategic Alignment
The Kaniko fork aligns with Chainguard’s broader mission as the “safe source for open source.” The company has built its business around providing secure, maintained versions of open source software through its Chainguard Images product.
“Instead of some tool or scanner or something else to tell you about all the problems in your supply chain, we’re just selling a fixed, trusted supply chain,” Lorenc said.
Kaniko fits this vision well. The tool embodies principles Chainguard champions — “ephemeral, sandboxed, minimal, and secure-by-default infrastructure,” Lorenc said. It helped pave the way for modern container security practices that treat build systems like production systems, he said.
Looking Forward
While Google has moved on to other priorities, Chainguard sees long-term value in maintaining these foundational tools.
“We maintain the catalogs. We patch the CVEs. We fork critical tools when no one else will. We care when your build breaks,” Wadhwa, Lorenc and Kim Lewandowski, co-founder and CPO of Chainguard, wrote in the post. “That’s the difference.”
The Bigger Picture
The Kaniko story reflects the evolving nature of open source sustainability. Some of the most critical open source software may be the stable, “boring” tools that just need someone to keep the lights on, Lorenc said.
