Skip to content

Commit

Permalink
Added skip-push-permission flag
Browse files Browse the repository at this point in the history
Added skip-push-permission flag to conditionally disable push permission check on build start to accommodate for slow network policies
  • Loading branch information
cmdjulian committed Aug 6, 2023
1 parent 45b2681 commit eca30b0
Show file tree
Hide file tree
Showing 6 changed files with 54 additions and 5 deletions.
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ _If you are interested in contributing to kaniko, see
- [Flag `--reproducible`](#flag---reproducible)
- [Flag `--single-snapshot`](#flag---single-snapshot)
- [Flag `--skip-tls-verify`](#flag---skip-tls-verify)
- [Flag `--skip-push-permission-check`](#flag---skip-push-permission-check)
- [Flag `--skip-tls-verify-pull`](#flag---skip-tls-verify-pull)
- [Flag `--skip-tls-verify-registry`](#flag---skip-tls-verify-registry)
- [Flag `--skip-unused-stages`](#flag---skip-unused-stages)
Expand Down Expand Up @@ -1009,6 +1010,11 @@ reproducible.
This flag takes a single snapshot of the filesystem at the end of the build, so
only one layer will be appended to the base image.

#### Flag `--skip-push-permission-check`

Set this flag to skip push permission check. This can be useful to delay Kanikos first request for delayed
network-policies.

#### Flag `--skip-tls-verify`

Set this flag to skip TLS certificate validation when pushing to a registry. It
Expand Down
1 change: 1 addition & 0 deletions cmd/executor/cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,7 @@ func addKanikoOptionsFlags() {
RootCmd.PersistentFlags().BoolVarP(&opts.CacheRunLayers, "cache-run-layers", "", true, "Caches run layers")
RootCmd.PersistentFlags().VarP(&opts.IgnorePaths, "ignore-path", "", "Ignore these paths when taking a snapshot. Set it repeatedly for multiple paths.")
RootCmd.PersistentFlags().BoolVarP(&opts.ForceBuildMetadata, "force-build-metadata", "", false, "Force add metadata layers to build image")
RootCmd.PersistentFlags().BoolVarP(&opts.SkipPushPermissionCheck, "skip-push-permission-check", "", false, "Skip check of the push permission")

// Deprecated flags.
RootCmd.PersistentFlags().StringVarP(&opts.SnapshotModeDeprecated, "snapshotMode", "", "", "This flag is deprecated. Please use '--snapshot-mode'.")
Expand Down
8 changes: 4 additions & 4 deletions deploy/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,13 @@ COPY . .
# Then submit a PR with the changes to `go.mod`, `go.sum`, and `vendor`.

# Get GCR credential helper
RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr
RUN go install github.com/GoogleCloudPlatform/docker-credential-gcr@latest

# Get Amazon ECR credential helper
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login
RUN go install github.com/awslabs/amazon-ecr-credential-helper/ecr-login/cli/docker-credential-ecr-login@latest

# Get ACR docker env credential helper
RUN go install github.com/chrismellard/docker-credential-acr-env
RUN go install github.com/chrismellard/docker-credential-acr-env@latest

RUN \
--mount=type=cache,target=/root/.cache/go-build \
Expand All @@ -67,7 +67,7 @@ FROM scratch AS kaniko-base-slim
RUN --mount=from=busybox,dst=/usr/ ["busybox", "sh", "-c", "mkdir -p /kaniko && chmod 777 /kaniko"]

COPY --from=certs /etc/ssl/certs/ca-certificates.crt /kaniko/ssl/certs/
COPY files/nsswitch.conf /etc/nsswitch.conf
#COPY files/nsswitch.conf /etc/nsswitch.conf
ENV HOME /root
ENV USER root
ENV PATH /usr/local/bin:/kaniko
Expand Down
1 change: 1 addition & 0 deletions pkg/config/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ type KanikoOptions struct {
CacheRunLayers bool
ForceBuildMetadata bool
InitialFSUnpacked bool
SkipPushPermissionCheck bool
}

type KanikoGitOptions struct {
Expand Down
4 changes: 3 additions & 1 deletion pkg/executor/push.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,9 @@ var (
func CheckPushPermissions(opts *config.KanikoOptions) error {
targets := opts.Destinations
// When no push and no push cache are set, we don't need to check permissions
if opts.NoPush && opts.NoPushCache {
if opts.SkipPushPermissionCheck {
targets = []string{}
} else if opts.NoPush && opts.NoPushCache {
targets = []string{}
} else if opts.NoPush && !opts.NoPushCache {
// When no push is set, we want to check permissions for the cache repo
Expand Down
39 changes: 39 additions & 0 deletions pkg/executor/push_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,45 @@ func TestCheckPushPermissions(t *testing.T) {
}
}

func TestSkipPushPermission(t *testing.T) {
tests := []struct {
description string
cacheRepo string
checkPushPermsExpectedCallCount int
destinations []string
existingConfig bool
noPush bool
noPushCache bool
skipPushPermission bool
}{
{description: "skip push permission enabled", destinations: []string{"test.io/skip"}, checkPushPermsExpectedCallCount: 0, skipPushPermission: true},
{description: "skip push permission disabled", destinations: []string{"test.io/push"}, checkPushPermsExpectedCallCount: 1, skipPushPermission: false},
}

checkRemotePushPermission = fakeCheckPushPermission
for _, test := range tests {
t.Run(test.description, func(t *testing.T) {
resetCalledCount()
fs = afero.NewMemMapFs()
opts := config.KanikoOptions{
CacheRepo: test.cacheRepo,
Destinations: test.destinations,
NoPush: test.noPush,
NoPushCache: test.noPushCache,
SkipPushPermissionCheck: test.skipPushPermission,
}
if test.existingConfig {
afero.WriteFile(fs, util.DockerConfLocation(), []byte(""), os.FileMode(0644))
defer fs.Remove(util.DockerConfLocation())
}
CheckPushPermissions(&opts)
if checkPushPermsCallCount != test.checkPushPermsExpectedCallCount {
t.Errorf("expected check push permissions call count to be %d but it was %d", test.checkPushPermsExpectedCallCount, checkPushPermsCallCount)
}
})
}
}

func TestHelperProcess(t *testing.T) {
if os.Getenv("GO_WANT_HELPER_PROCESS") != "1" {
return
Expand Down

0 comments on commit eca30b0

Please sign in to comment.