From 72c3d4a237242f5af321f569c0d16141f0541998 Mon Sep 17 00:00:00 2001 From: Tonis Tiigi Date: Thu, 19 Dec 2024 16:45:30 -0800 Subject: [PATCH] bake: make FS entitlements error by default Change FS entitlements checks from warning to error by default as expressed in initial PR. Users can still opt-out with environment variable if the choose to. Signed-off-by: Tonis Tiigi --- bake/entitlements.go | 10 ++++------ hack/test-driver | 4 +++- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/bake/entitlements.go b/bake/entitlements.go index 8d6d0c37f271..287d874a028f 100644 --- a/bake/entitlements.go +++ b/bake/entitlements.go @@ -257,7 +257,7 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write fmt.Fprintf(out, "%s %s %s\n\n", strings.Join(args[:idx+1], " "), strings.Join(slices.Concat(flags, flagsFS), " "), strings.Join(args[idx+1:], " ")) } - fsEntitlementsEnabled := false + fsEntitlementsEnabled := true if isRemote { if v, ok := os.LookupEnv("BAKE_ALLOW_REMOTE_FS_ACCESS"); ok { vv, err := strconv.ParseBool(v) @@ -265,8 +265,6 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write return errors.Wrapf(err, "failed to parse BAKE_ALLOW_REMOTE_FS_ACCESS value %q", v) } fsEntitlementsEnabled = !vv - } else { - fsEntitlementsEnabled = true } } v, fsEntitlementsSet := os.LookupEnv("BUILDX_BAKE_ENTITLEMENTS_FS") @@ -279,11 +277,11 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write } if !fsEntitlementsEnabled && len(msgs) == 0 { - if !fsEntitlementsSet { - fmt.Fprintf(out, "This warning will become an error in a future release. To enable filesystem entitlements checks at the moment, set BUILDX_BAKE_ENTITLEMENTS_FS=1 .\n\n") - } return nil } + if fsEntitlementsEnabled && !fsEntitlementsSet && len(msgsFS) != 0 { + fmt.Fprintf(out, "To disable filesystem entitlements checks, you can set BUILDX_BAKE_ENTITLEMENTS_FS=0 .\n\n") + } if term { fmt.Fprintf(out, "Do you want to grant requested privileges and continue? [y/N] ") diff --git a/hack/test-driver b/hack/test-driver index 5d244a9e0290..e70315e31554 100755 --- a/hack/test-driver +++ b/hack/test-driver @@ -167,7 +167,8 @@ buildxCmd bake ${bakePlatformFlag} \ --file="${bakedef}" \ --builder="${builderName}" \ --set "*.context=${context}" \ - --metadata-file="${context}/metadata-bake-def.json" + --metadata-file="${context}/metadata-bake-def.json" \ + --allow fs="${context}" cat "${context}/metadata-bake-def.json" # bake all target @@ -175,6 +176,7 @@ buildxCmd bake ${bakePlatformFlag} \ --file="${bakedef}" \ --builder="${builderName}" \ --set "*.context=${context}" \ + --allow fs="${context}" \ --metadata-file="${context}/metadata-bake-all.json" \ all cat "${context}/metadata-bake-all.json"