Create debug image with busybox shell

README.md

@@ -151,9 +151,13 @@ kaniko comes with support for GCR, but configuring another credential helper sho
 
 ### Debug Image
 
-We provide `gcr.io/kaniko-project/executor:debug` as a a version of the executor image based off a Debian image. 
-This provides a shell and can be useful for debugging.
+The kaniko executor image is based off of scratch and doesn't contain a shell.
+We provide `gcr.io/kaniko-project/executor:debug`, a debug image which consists of the kaniko executor image along with a busybox shell to enter.
 
+You can launch the debug image with a shell entrypoint:
+```shell
+docker run -it --entrypoint=/busybox/sh gcr.io/kaniko-project/executor:debug
+```
 ## Security
  
 kaniko by itself **does not** make it safe to run untrusted builds inside your cluster, or anywhere else.

deploy/Dockerfile_debug

@@ -12,14 +12,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Builds the executor from debian
+# Builds the static Go image to execute in a Kubernetes job
 
-FROM gcr.io/google-appengine/debian9:latest
-COPY out/executor /kaniko/executor
+FROM golang:1.10
+WORKDIR /go/src/github.com/GoogleContainerTools/kaniko
+COPY . .
+RUN make
+WORKDIR /usr/local/bin
+ADD https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v1.4.3-static/docker-credential-gcr_linux_amd64-1.4.3.tar.gz .
+RUN tar -xvzf /usr/local/bin/docker-credential-gcr_linux_amd64-1.4.3.tar.gz
+
+FROM scratch
+COPY --from=0 /go/src/github.com/GoogleContainerTools/kaniko/out/executor /kaniko/executor
+COPY --from=0 /usr/local/bin/docker-credential-gcr /usr/local/bin/docker-credential-gcr
 COPY files/ca-certificates.crt /kaniko/ssl/certs/
-COPY files/docker-credential-gcr /usr/local/bin/
 COPY files/config.json /root/.docker/
+ADD files/busybox.tar /
 RUN ["docker-credential-gcr", "config", "--token-source=env"]
 ENV HOME /root
+ENV USER /root
+ENV PATH /usr/local/bin
 ENV SSL_CERT_DIR=/kaniko/ssl/certs
 ENTRYPOINT ["/kaniko/executor"]

deploy/executor-release.yaml

@@ -3,4 +3,17 @@ steps:
   - name: "gcr.io/cloud-builders/docker"
     args: ["build", "-f", "deploy/Dockerfile",
            "-t", "gcr.io/kaniko-project/executor:${COMMIT_SHA}", "."]
-images: ["gcr.io/kaniko-project/executor:${COMMIT_SHA}"]
+  # Then, we want to clone the distroless repo and build busybox.tar
+  - name: "gcr.io/cloud-builders/git"
+    args: ["clone", "https://github.com/GoogleContainerTools/distroless.git"]
+  - name: "gcr.io/cloud-builders/bazel"
+    args: ["build", "busybox:busybox_tar"]
+    dir: distroless
+  - name: ubuntu
+    args: ["mv", "distroless/bazel-genfiles/busybox/busybox.tar", "files/busybox.tar"]
+  # Then, we want to build the kaniko:debug image with the busybox shell
+  - name: "gcr.io/cloud-builders/docker"
+    args: ["build", "-f", "deploy/Dockerfile_debug",
+           "-t", "gcr.io/kaniko-project/executor:debug-${COMMIT_SHA}", "."]
+images: ["gcr.io/kaniko-project/executor:${COMMIT_SHA}",
+         "gcr.io/kaniko-project/executor:debug-${COMMIT_SHA}"]