add option additonal-whitelist

Add a new option additonal-whitelist which defaults
to a single entry, "/var/run". This will allow users to
remove "/var/run" from the whitelist or retain the current
behavior with no change.

cmd/executor/cmd/root.go

@@ -38,9 +38,10 @@ import (
 )
 
 var (
-	opts     = &config.KanikoOptions{}
-	logLevel string
-	force    bool
+	opts                = &config.KanikoOptions{}
+	logLevel            string
+	force               bool
+	additionalWhitelist []string
 )
 
 func init() {
@@ -73,6 +74,16 @@ var RootCmd = &cobra.Command{
 			if len(opts.Destinations) == 0 && opts.ImageNameDigestFile != "" {
 				return errors.New("You must provide --destination if setting ImageNameDigestFile")
 			}
+
+			if additionalWhitelist == nil {
+				additionalWhitelist = []string{
+					"/var/run",
+				}
+			}
+
+			for _, path := range additionalWhitelist {
+				util.AddToWhitelist(path)
+			}
 		}
 		return nil
 	},
@@ -144,6 +155,10 @@ func addKanikoOptionsFlags() {
 	RootCmd.PersistentFlags().DurationVarP(&opts.CacheTTL, "cache-ttl", "", time.Hour*336, "Cache timeout in hours. Defaults to two weeks.")
 	RootCmd.PersistentFlags().VarP(&opts.InsecureRegistries, "insecure-registry", "", "Insecure registry using plain HTTP to push and pull. Set it repeatedly for multiple registries.")
 	RootCmd.PersistentFlags().VarP(&opts.SkipTLSVerifyRegistries, "skip-tls-verify-registry", "", "Insecure registry ignoring TLS verify to push and pull. Set it repeatedly for multiple registries.")
+
+	// We use nil as the default value so we can differentiate between the flag passed
+	// with an empty list and the flag not set
+	RootCmd.PersistentFlags().StringSliceVar(&additionalWhitelist, "additional-whitelist", nil, "Paths to whitelist. These will be ignored be kaniko to improve performance.")
 }
 
 // addHiddenFlags marks certain flags as hidden from the executor help text

pkg/util/fs_util.go

@@ -48,13 +48,6 @@ var initialWhitelist = []WhitelistEntry{
 		Path:            "/kaniko",
 		PrefixMatchOnly: false,
 	},
-	{
-		// /var/run is a special case. It's common to mount in /var/run/docker.sock or something similar
-		// which leads to a special mount on the /var/run/docker.sock file itself, but the directory to exist
-		// in the image with no way to tell if it came from the base image or not.
-		Path:            "/var/run",
-		PrefixMatchOnly: false,
-	},
 	{
 		// similarly, we whitelist /etc/mtab, since there is no way to know if the file was mounted or came
 		// from the base image
@@ -69,6 +62,10 @@ var volumes = []string{}
 
 var excluded []string
 
+func AddToWhitelist(path string) {
+	initialWhitelist = append(initialWhitelist, WhitelistEntry{Path: path})
+}
+
 type ExtractFunction func(string, *tar.Header, io.Reader) error
 
 type FSConfig struct {

pkg/util/fs_util_test.go

@@ -64,7 +64,6 @@ func Test_DetectFilesystemWhitelist(t *testing.T) {
 		{"/dev", false},
 		{"/dev/pts", false},
 		{"/sys", false},
-		{"/var/run", false},
 		{"/etc/mtab", false},
 	}
 	actualWhitelist := whitelist
@@ -75,6 +74,28 @@ func Test_DetectFilesystemWhitelist(t *testing.T) {
 		return expectedWhitelist[i].Path < expectedWhitelist[j].Path
 	})
 	testutil.CheckErrorAndDeepEqual(t, false, err, expectedWhitelist, actualWhitelist)
+
+	tmpInitial := make([]WhitelistEntry, len(initialWhitelist))
+
+	copy(tmpInitial, initialWhitelist)
+	defer func() {
+		initialWhitelist = tmpInitial
+	}()
+
+	AddToWhitelist("/var/run")
+
+	err = DetectFilesystemWhitelist(path)
+	expectedWhitelist = append(expectedWhitelist,
+		WhitelistEntry{"/var/run", false})
+
+	actualWhitelist = whitelist
+	sort.Slice(actualWhitelist, func(i, j int) bool {
+		return actualWhitelist[i].Path < actualWhitelist[j].Path
+	})
+	sort.Slice(expectedWhitelist, func(i, j int) bool {
+		return expectedWhitelist[i].Path < expectedWhitelist[j].Path
+	})
+	testutil.CheckErrorAndDeepEqual(t, false, err, expectedWhitelist, actualWhitelist)
 }
 
 var tests = []struct {