diff --git a/Jenkinsfile b/Jenkinsfile
index 3dee421..4b3d390 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -1,5 +1,41 @@
 pipeline {
-  agent any
+  agent {
+    kubernetes {
+      label 'harbor-arm-build'
+      defaultContainer 'git'
+      yaml """
+apiVersion: v1
+kind: Pod
+spec:
+  containers:
+  - name: git
+    image: alpine/git:2.45.2
+    command: ['cat']
+    tty: true
+    volumeMounts:
+    - mountPath: /home/jenkins/agent
+      name: workspace-volume
+  - name: kaniko
+    image: gcr.io/kaniko-project/executor:v1.23.2-debug
+    command: ['cat']
+    tty: true
+    volumeMounts:
+    - mountPath: /home/jenkins/agent
+      name: workspace-volume
+    - mountPath: /kaniko/.docker
+      name: docker-config
+  volumes:
+  - name: workspace-volume
+    emptyDir: {}
+  - name: docker-config
+    secret:
+      secretName: harbor-robot-pipeline
+      items:
+      - key: .dockerconfigjson
+        path: config.json
+"""
+    }
+  }
   environment {
     REGISTRY = 'registry.bstein.dev'
     IMAGE    = 'infra/harbor-arm-build'
@@ -7,33 +43,36 @@ pipeline {
   stages {
     stage('Checkout') {
       steps {
-        git credentialsId: 'gitea-pat', url: 'https://scm.bstein.dev/bstein/harbor-arm-build.git'
+        container('git') {
+          git credentialsId: 'gitea-pat', url: 'https://scm.bstein.dev/bstein/harbor-arm-build.git'
+        }
       }
     }
-    stage('Build image') {
+    stage('Build & Push (kaniko)') {
       steps {
-        sh '''
-        cat > app.sh <<'APP'
-        #!/usr/bin/env bash
-        echo "hello harbor arm build $(date)"
-        APP
-        chmod +x app.sh
-        cat > Dockerfile <<'DOCKER'
-        FROM alpine:3.20
-        COPY app.sh /usr/local/bin/app.sh
-        RUN chmod +x /usr/local/bin/app.sh
-        ENTRYPOINT ["/usr/local/bin/app.sh"]
-        DOCKER
-        docker build -t $REGISTRY/$IMAGE:latest .
-        '''
-      }
-    }
-    stage('Push image') {
-      steps {
-        withCredentials([usernamePassword(credentialsId: 'harbor-robot', usernameVariable: 'HUSER', passwordVariable: 'HPASS')]) {
+        container('kaniko') {
           sh '''
-          echo "$HPASS" | docker login -u "$HUSER" --password-stdin $REGISTRY
-          docker push $REGISTRY/$IMAGE:latest
+          set -euo pipefail
+          cat > app.sh <<'APP'
+          #!/usr/bin/env bash
+          echo "hello harbor arm build $(date)"
+          APP
+          chmod +x app.sh
+
+          cat > Dockerfile <<'DOCKER'
+          FROM alpine:3.20
+          COPY app.sh /usr/local/bin/app.sh
+          RUN chmod +x /usr/local/bin/app.sh
+          ENTRYPOINT ["/usr/local/bin/app.sh"]
+          DOCKER
+
+          /kaniko/executor \
+            --context "${PWD}" \
+            --dockerfile "${PWD}/Dockerfile" \
+            --destination "${REGISTRY}/${IMAGE}:latest" \
+            --snapshotMode=redo \
+            --single-snapshot \
+            --verbosity=info
           '''
         }
       }