Skip to content


kustomizer push artifact

Push uploads Kubernetes manifests to a container registry.


The push command scans the given path for Kubernetes manifests or Kustomize overlays, builds the manifests into a multi-doc YAML, packages the YAML file into an OCI artifact and pushes the image to the container registry. The push command uses the credentials from '~/.docker/config.json'.

kustomizer push artifact [flags]


  kustomizer push artifact <oci url> -k <overlay path> [-f <dir path>|<file path>]

  # Build Kubernetes plain manifests and push the resulting multi-doc YAML to Docker Hub
  kustomizer push artifact oci://$(git rev-parse --short HEAD) \
    -f ./deploy/manifests \
    --source="$(git config --get remote.origin.url)" \
    --revision="$(git branch --show-current)/$(git rev-parse HEAD)"

  # Build a Kustomize overlay and push the resulting multi-doc YAML to GitHub Container Registry
  kustomizer push artifact oci://$(git tag --points-at HEAD) \
    --kustomize="./deploy/production" \
    --source="$(git config --get remote.origin.url)" \
    --revision="$(git tag --points-at HEAD)/$(git rev-parse HEAD)"

  # Push to a local registry
  kustomizer push artifact oci://localhost:5000/repo:latest -f ./deploy/manifests 

  # Push and sign artifact with cosign
  kustomizer push artifact oci:// -f ./deploy/manifests --sign --cosign-key ./keys/cosign.key

  # Push and sign artifact with cosign and GitHub OIDC (GH Actions)
  kustomizer push artifact oci:// -f ./deploy/manifests --sign

  # Push encrypted artifact
  kustomizer push artifact oci:// -f ./deploy/manifests --age-recipients ./keys/pub.txt 


      --age-recipients string   Path to a file containing one or more age recipients (public keys generated by age-keygen).
      --cosign-key string       Path to the consign private key file, KMS URI or Kubernetes Secret. When not specified, cosign will try to producing an identity token from the environment (GH Actions or GCP).
  -f, --filename strings        Path to Kubernetes manifest(s). If a directory is specified, then all manifests in the directory tree will be processed recursively.
  -h, --help                    help for artifact
  -k, --kustomize string        Path to a directory that contains a kustomization.yaml.
  -p, --patch strings           Path to a kustomization file that contains a list of patches.
      --revision string         the source revision in the format '<branch|tag>/<commit-sha>'
      --sign                    Sign the artifact with cosign.
      --source string           the source address, e.g. the Git URL

Options inherited from parent commands

      --as string                      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
      --as-uid string                  UID to impersonate for the operation.
      --cache-dir string               Default cache directory (default "/home/runner/.kube/cache")
      --certificate-authority string   Path to a cert file for the certificate authority
      --client-certificate string      Path to a client certificate file for TLS
      --client-key string              Path to a client key file for TLS
      --cluster string                 The name of the kubeconfig cluster to use
      --context string                 The name of the kubeconfig context to use
      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
      --kubeconfig string              Path to the kubeconfig file to use for CLI requests.
  -n, --namespace string               The inventory namespace. (default "default")
  -s, --server string                  The address and port of the Kubernetes API server
      --timeout duration               The length of time to wait before giving up on the current operation. (default 1m0s)
      --tls-server-name string         Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
      --token string                   Bearer token for authentication to the API server
      --user string                    The name of the kubeconfig user to use