Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added skip-push-permission flag #2657

Merged
merged 2 commits into from
Aug 15, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ _If you are interested in contributing to kaniko, see
- [Flag `--reproducible`](#flag---reproducible)
- [Flag `--single-snapshot`](#flag---single-snapshot)
- [Flag `--skip-tls-verify`](#flag---skip-tls-verify)
- [Flag `--skip-push-permission-check`](#flag---skip-push-permission-check)
- [Flag `--skip-tls-verify-pull`](#flag---skip-tls-verify-pull)
- [Flag `--skip-tls-verify-registry`](#flag---skip-tls-verify-registry)
- [Flag `--skip-unused-stages`](#flag---skip-unused-stages)
Expand Down Expand Up @@ -1009,6 +1010,11 @@ reproducible.
This flag takes a single snapshot of the filesystem at the end of the build, so
only one layer will be appended to the base image.

#### Flag `--skip-push-permission-check`

Set this flag to skip push permission check. This can be useful to delay Kanikos first request for delayed
network-policies.

#### Flag `--skip-tls-verify`

Set this flag to skip TLS certificate validation when pushing to a registry. It
Expand Down
1 change: 1 addition & 0 deletions cmd/executor/cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -248,6 +248,7 @@ func addKanikoOptionsFlags() {
RootCmd.PersistentFlags().BoolVarP(&opts.CacheRunLayers, "cache-run-layers", "", true, "Caches run layers")
RootCmd.PersistentFlags().VarP(&opts.IgnorePaths, "ignore-path", "", "Ignore these paths when taking a snapshot. Set it repeatedly for multiple paths.")
RootCmd.PersistentFlags().BoolVarP(&opts.ForceBuildMetadata, "force-build-metadata", "", false, "Force add metadata layers to build image")
RootCmd.PersistentFlags().BoolVarP(&opts.SkipPushPermissionCheck, "skip-push-permission-check", "", false, "Skip check of the push permission")

// Deprecated flags.
RootCmd.PersistentFlags().StringVarP(&opts.SnapshotModeDeprecated, "snapshotMode", "", "", "This flag is deprecated. Please use '--snapshot-mode'.")
Expand Down
1 change: 1 addition & 0 deletions pkg/config/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,7 @@ type KanikoOptions struct {
CacheRunLayers bool
ForceBuildMetadata bool
InitialFSUnpacked bool
SkipPushPermissionCheck bool
}

type KanikoGitOptions struct {
Expand Down
4 changes: 3 additions & 1 deletion pkg/executor/push.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,9 @@ var (
func CheckPushPermissions(opts *config.KanikoOptions) error {
targets := opts.Destinations
// When no push and no push cache are set, we don't need to check permissions
if opts.NoPush && opts.NoPushCache {
if opts.SkipPushPermissionCheck {
targets = []string{}
} else if opts.NoPush && opts.NoPushCache {
targets = []string{}
} else if opts.NoPush && !opts.NoPushCache {
// When no push is set, we want to check permissions for the cache repo
Expand Down
39 changes: 39 additions & 0 deletions pkg/executor/push_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -350,6 +350,45 @@ func TestCheckPushPermissions(t *testing.T) {
}
}

func TestSkipPushPermission(t *testing.T) {
tests := []struct {
description string
cacheRepo string
checkPushPermsExpectedCallCount int
destinations []string
existingConfig bool
noPush bool
noPushCache bool
skipPushPermission bool
}{
{description: "skip push permission enabled", destinations: []string{"test.io/skip"}, checkPushPermsExpectedCallCount: 0, skipPushPermission: true},
{description: "skip push permission disabled", destinations: []string{"test.io/push"}, checkPushPermsExpectedCallCount: 1, skipPushPermission: false},
}

checkRemotePushPermission = fakeCheckPushPermission
for _, test := range tests {
t.Run(test.description, func(t *testing.T) {
resetCalledCount()
fs = afero.NewMemMapFs()
opts := config.KanikoOptions{
CacheRepo: test.cacheRepo,
Destinations: test.destinations,
NoPush: test.noPush,
NoPushCache: test.noPushCache,
SkipPushPermissionCheck: test.skipPushPermission,
}
if test.existingConfig {
afero.WriteFile(fs, util.DockerConfLocation(), []byte(""), os.FileMode(0644))
defer fs.Remove(util.DockerConfLocation())
}
CheckPushPermissions(&opts)
if checkPushPermsCallCount != test.checkPushPermsExpectedCallCount {
t.Errorf("expected check push permissions call count to be %d but it was %d", test.checkPushPermsExpectedCallCount, checkPushPermsCallCount)
}
})
}
}

func TestHelperProcess(t *testing.T) {
if os.Getenv("GO_WANT_HELPER_PROCESS") != "1" {
return
Expand Down