Added skip-push-permission flag (#2657)

Added skip-push-permission flag to conditionally disable push permission check on build start to accommodate for slow network policies
2023-08-15 20:23:16 +02:00 · 2023-08-15 20:23:16 +02:00 · cefe99b92a
parent 176f5b4626
commit cefe99b92a
5 changed files with 50 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -100,6 +100,7 @@ _If you are interested in contributing to kaniko, see
      - [Flag `--reproducible`](#flag---reproducible)
      - [Flag `--single-snapshot`](#flag---single-snapshot)
      - [Flag `--skip-tls-verify`](#flag---skip-tls-verify)
+      - [Flag `--skip-push-permission-check`](#flag---skip-push-permission-check)
      - [Flag `--skip-tls-verify-pull`](#flag---skip-tls-verify-pull)
      - [Flag `--skip-tls-verify-registry`](#flag---skip-tls-verify-registry)
      - [Flag `--skip-unused-stages`](#flag---skip-unused-stages)
@ -1009,6 +1010,11 @@ reproducible.
 This flag takes a single snapshot of the filesystem at the end of the build, so
 only one layer will be appended to the base image.

+#### Flag `--skip-push-permission-check`
+
+Set this flag to skip push permission check. This can be useful to delay Kanikos first request for delayed 
+network-policies.
+
 #### Flag `--skip-tls-verify`

 Set this flag to skip TLS certificate validation when pushing to a registry. It
--- a/cmd/executor/cmd/root.go
+++ b/cmd/executor/cmd/root.go
@ -248,6 +248,7 @@ func addKanikoOptionsFlags() {
 	RootCmd.PersistentFlags().BoolVarP(&opts.CacheRunLayers, "cache-run-layers", "", true, "Caches run layers")
 	RootCmd.PersistentFlags().VarP(&opts.IgnorePaths, "ignore-path", "", "Ignore these paths when taking a snapshot. Set it repeatedly for multiple paths.")
 	RootCmd.PersistentFlags().BoolVarP(&opts.ForceBuildMetadata, "force-build-metadata", "", false, "Force add metadata layers to build image")
+	RootCmd.PersistentFlags().BoolVarP(&opts.SkipPushPermissionCheck, "skip-push-permission-check", "", false, "Skip check of the push permission")

 	// Deprecated flags.
 	RootCmd.PersistentFlags().StringVarP(&opts.SnapshotModeDeprecated, "snapshotMode", "", "", "This flag is deprecated. Please use '--snapshot-mode'.")
--- a/pkg/config/options.go
+++ b/pkg/config/options.go
@ -87,6 +87,7 @@ type KanikoOptions struct {
 	CacheRunLayers           bool
 	ForceBuildMetadata       bool
 	InitialFSUnpacked        bool
+	SkipPushPermissionCheck  bool
 }

 type KanikoGitOptions struct {
--- a/pkg/executor/push.go
+++ b/pkg/executor/push.go
@ -80,7 +80,9 @@ var (
 func CheckPushPermissions(opts *config.KanikoOptions) error {
 	targets := opts.Destinations
 	// When no push and no push cache are set, we don't need to check permissions
-	if opts.NoPush && opts.NoPushCache {
+	if opts.SkipPushPermissionCheck {
+		targets = []string{}
+	} else if opts.NoPush && opts.NoPushCache {
 		targets = []string{}
 	} else if opts.NoPush && !opts.NoPushCache {
 		// When no push is set, we want to check permissions for the cache repo
--- a/pkg/executor/push_test.go
+++ b/pkg/executor/push_test.go
@ -350,6 +350,45 @@ func TestCheckPushPermissions(t *testing.T) {
 	}
 }

+func TestSkipPushPermission(t *testing.T) {
+	tests := []struct {
+		description                     string
+		cacheRepo                       string
+		checkPushPermsExpectedCallCount int
+		destinations                    []string
+		existingConfig                  bool
+		noPush                          bool
+		noPushCache                     bool
+		skipPushPermission              bool
+	}{
+		{description: "skip push permission enabled", destinations: []string{"test.io/skip"}, checkPushPermsExpectedCallCount: 0, skipPushPermission: true},
+		{description: "skip push permission disabled", destinations: []string{"test.io/push"}, checkPushPermsExpectedCallCount: 1, skipPushPermission: false},
+	}
+
+	checkRemotePushPermission = fakeCheckPushPermission
+	for _, test := range tests {
+		t.Run(test.description, func(t *testing.T) {
+			resetCalledCount()
+			fs = afero.NewMemMapFs()
+			opts := config.KanikoOptions{
+				CacheRepo:               test.cacheRepo,
+				Destinations:            test.destinations,
+				NoPush:                  test.noPush,
+				NoPushCache:             test.noPushCache,
+				SkipPushPermissionCheck: test.skipPushPermission,
+			}
+			if test.existingConfig {
+				afero.WriteFile(fs, util.DockerConfLocation(), []byte(""), os.FileMode(0644))
+				defer fs.Remove(util.DockerConfLocation())
+			}
+			CheckPushPermissions(&opts)
+			if checkPushPermsCallCount != test.checkPushPermsExpectedCallCount {
+				t.Errorf("expected check push permissions call count to be %d but it was %d", test.checkPushPermsExpectedCallCount, checkPushPermsCallCount)
+			}
+		})
+	}
+}
+
 func TestHelperProcess(t *testing.T) {
 	if os.Getenv("GO_WANT_HELPER_PROCESS") != "1" {
 		return