diff --git a/cmd/executor/cmd/root.go b/cmd/executor/cmd/root.go index e7a058abd..0374ba341 100644 --- a/cmd/executor/cmd/root.go +++ b/cmd/executor/cmd/root.go @@ -38,9 +38,10 @@ import ( ) var ( - opts = &config.KanikoOptions{} - logLevel string - force bool + opts = &config.KanikoOptions{} + logLevel string + force bool + additionalWhitelist []string ) func init() { @@ -73,6 +74,16 @@ var RootCmd = &cobra.Command{ if len(opts.Destinations) == 0 && opts.ImageNameDigestFile != "" { return errors.New("You must provide --destination if setting ImageNameDigestFile") } + + if additionalWhitelist == nil { + additionalWhitelist = []string{ + "/var/run", + } + } + + for _, path := range additionalWhitelist { + util.AddToWhitelist(path) + } } return nil }, @@ -144,6 +155,10 @@ func addKanikoOptionsFlags() { RootCmd.PersistentFlags().DurationVarP(&opts.CacheTTL, "cache-ttl", "", time.Hour*336, "Cache timeout in hours. Defaults to two weeks.") RootCmd.PersistentFlags().VarP(&opts.InsecureRegistries, "insecure-registry", "", "Insecure registry using plain HTTP to push and pull. Set it repeatedly for multiple registries.") RootCmd.PersistentFlags().VarP(&opts.SkipTLSVerifyRegistries, "skip-tls-verify-registry", "", "Insecure registry ignoring TLS verify to push and pull. Set it repeatedly for multiple registries.") + + // We use nil as the default value so we can differentiate between the flag passed + // with an empty list and the flag not set + RootCmd.PersistentFlags().StringSliceVar(&additionalWhitelist, "additional-whitelist", nil, "Paths to whitelist. These will be ignored be kaniko to improve performance.") } // addHiddenFlags marks certain flags as hidden from the executor help text diff --git a/pkg/util/fs_util.go b/pkg/util/fs_util.go index 7aa91adff..9f59906de 100644 --- a/pkg/util/fs_util.go +++ b/pkg/util/fs_util.go @@ -48,13 +48,6 @@ var initialWhitelist = []WhitelistEntry{ Path: "/kaniko", PrefixMatchOnly: false, }, - { - // /var/run is a special case. It's common to mount in /var/run/docker.sock or something similar - // which leads to a special mount on the /var/run/docker.sock file itself, but the directory to exist - // in the image with no way to tell if it came from the base image or not. - Path: "/var/run", - PrefixMatchOnly: false, - }, { // similarly, we whitelist /etc/mtab, since there is no way to know if the file was mounted or came // from the base image @@ -69,6 +62,10 @@ var volumes = []string{} var excluded []string +func AddToWhitelist(path string) { + initialWhitelist = append(initialWhitelist, WhitelistEntry{Path: path}) +} + type ExtractFunction func(string, *tar.Header, io.Reader) error type FSConfig struct { diff --git a/pkg/util/fs_util_test.go b/pkg/util/fs_util_test.go index 2919426ce..18d9fd714 100644 --- a/pkg/util/fs_util_test.go +++ b/pkg/util/fs_util_test.go @@ -64,7 +64,6 @@ func Test_DetectFilesystemWhitelist(t *testing.T) { {"/dev", false}, {"/dev/pts", false}, {"/sys", false}, - {"/var/run", false}, {"/etc/mtab", false}, } actualWhitelist := whitelist @@ -75,6 +74,28 @@ func Test_DetectFilesystemWhitelist(t *testing.T) { return expectedWhitelist[i].Path < expectedWhitelist[j].Path }) testutil.CheckErrorAndDeepEqual(t, false, err, expectedWhitelist, actualWhitelist) + + tmpInitial := make([]WhitelistEntry, len(initialWhitelist)) + + copy(tmpInitial, initialWhitelist) + defer func() { + initialWhitelist = tmpInitial + }() + + AddToWhitelist("/var/run") + + err = DetectFilesystemWhitelist(path) + expectedWhitelist = append(expectedWhitelist, + WhitelistEntry{"/var/run", false}) + + actualWhitelist = whitelist + sort.Slice(actualWhitelist, func(i, j int) bool { + return actualWhitelist[i].Path < actualWhitelist[j].Path + }) + sort.Slice(expectedWhitelist, func(i, j int) bool { + return expectedWhitelist[i].Path < expectedWhitelist[j].Path + }) + testutil.CheckErrorAndDeepEqual(t, false, err, expectedWhitelist, actualWhitelist) } var tests = []struct {