From 3fd30ead0cdf3edc9d351cf2246c741da6562700 Mon Sep 17 00:00:00 2001
From: claudex <claude.xavier@gmail.com>
Date: Mon, 27 Jun 2022 22:45:52 +0200
Subject: [PATCH] Fix the /kaniko directory permissions in container (#2009)

* Fix the /kaniko directory permissions in container

Create /kaniko directory with world permission to allow the creation of
sub directories by any user when the executor is run as non root. This
can lower the security but shouldn't have any impact in a container.

The tar unpack is the only way I found to have a directory with specific
permission as the image is created from "scratch" which doesn't have any
tool to change the permission otherwise.

Fixes #1363

* Avoid blackbox tar file creation

Use the Makefile to create the tar file use to create kaniko directory
in scratch container. This avoid having a "blackbox" binary file with
the empty directory.
---
 Makefile          | 9 ++++++++-
 deploy/Dockerfile | 2 ++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index f161d5c85..0d4ace0da 100644
--- a/Makefile
+++ b/Makefile
@@ -92,9 +92,16 @@ k8s-executor-build-push:
 	DOCKER_BUILDKIT=1 docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:latest -f deploy/Dockerfile .
 	docker push $(REGISTRY)/executor:latest
 
+files/kaniko:
+	mkdir files/kaniko
+
+files/kaniko.tar: files/kaniko
+	chmod 777 files/kaniko
+	cd files && tar cf kaniko.tar kaniko
+
 .PHONY: images
 images: DOCKER_BUILDKIT=1
-images:
+images: files/kaniko.tar
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:latest -f deploy/Dockerfile .
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:debug -f deploy/Dockerfile_debug .
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:slim -f deploy/Dockerfile_slim .
diff --git a/deploy/Dockerfile b/deploy/Dockerfile
index a41d97a9a..1603755ee 100644
--- a/deploy/Dockerfile
+++ b/deploy/Dockerfile
@@ -45,6 +45,8 @@ FROM debian:bullseye-slim AS certs
 RUN apt update && apt install -y ca-certificates
 
 FROM scratch
+# Create kaniko directory with world write permission to allow non root run
+ADD files/kaniko.tar /
 COPY --from=0 /src/out/executor /kaniko/executor
 COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
 COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login