Revert "add option additonal-whitelist"

This reverts commit 72bfed1850.

cmd/executor/cmd/root.go

@@ -38,10 +38,9 @@ import (
 )
 
 var (
-	opts                = &config.KanikoOptions{}
+	opts     = &config.KanikoOptions{}
-	logLevel            string
+	logLevel string
-	force               bool
+	force    bool
-	additionalWhitelist []string
 )
 
 func init() {
@@ -74,16 +73,6 @@ var RootCmd = &cobra.Command{
 			if len(opts.Destinations) == 0 && opts.ImageNameDigestFile != "" {
 				return errors.New("You must provide --destination if setting ImageNameDigestFile")
 			}
-
-			if additionalWhitelist == nil {
-				additionalWhitelist = []string{
-					"/var/run",
-				}
-			}
-
-			for _, path := range additionalWhitelist {
-				util.AddToWhitelist(path)
-			}
 		}
 		return nil
 	},
@@ -155,10 +144,6 @@ func addKanikoOptionsFlags() {
 	RootCmd.PersistentFlags().DurationVarP(&opts.CacheTTL, "cache-ttl", "", time.Hour*336, "Cache timeout in hours. Defaults to two weeks.")
 	RootCmd.PersistentFlags().VarP(&opts.InsecureRegistries, "insecure-registry", "", "Insecure registry using plain HTTP to push and pull. Set it repeatedly for multiple registries.")
 	RootCmd.PersistentFlags().VarP(&opts.SkipTLSVerifyRegistries, "skip-tls-verify-registry", "", "Insecure registry ignoring TLS verify to push and pull. Set it repeatedly for multiple registries.")
-
-	// We use nil as the default value so we can differentiate between the flag passed
-	// with an empty list and the flag not set
-	RootCmd.PersistentFlags().StringSliceVar(&additionalWhitelist, "additional-whitelist", nil, "Paths to whitelist. These will be ignored be kaniko to improve performance.")
 }
 
 // addHiddenFlags marks certain flags as hidden from the executor help text

pkg/util/fs_util.go

@@ -50,6 +50,13 @@ var initialWhitelist = []WhitelistEntry{
 		Path:            "/kaniko",
 		PrefixMatchOnly: false,
 	},
+	{
+		// /var/run is a special case. It's common to mount in /var/run/docker.sock or something similar
+		// which leads to a special mount on the /var/run/docker.sock file itself, but the directory to exist
+		// in the image with no way to tell if it came from the base image or not.
+		Path:            "/var/run",
+		PrefixMatchOnly: false,
+	},
 	{
 		// similarly, we whitelist /etc/mtab, since there is no way to know if the file was mounted or came
 		// from the base image
@@ -64,10 +71,6 @@ var volumes = []string{}
 
 var excluded []string
 
-func AddToWhitelist(path string) {
-	initialWhitelist = append(initialWhitelist, WhitelistEntry{Path: path})
-}
-
 type ExtractFunction func(string, *tar.Header, io.Reader) error
 
 type FSConfig struct {

pkg/util/fs_util_test.go

@@ -64,6 +64,7 @@ func Test_DetectFilesystemWhitelist(t *testing.T) {
 		{"/dev", false},
 		{"/dev/pts", false},
 		{"/sys", false},
+		{"/var/run", false},
 		{"/etc/mtab", false},
 	}
 	actualWhitelist := whitelist
@@ -74,28 +75,6 @@ func Test_DetectFilesystemWhitelist(t *testing.T) {
 		return expectedWhitelist[i].Path < expectedWhitelist[j].Path
 	})
 	testutil.CheckErrorAndDeepEqual(t, false, err, expectedWhitelist, actualWhitelist)
-
-	tmpInitial := make([]WhitelistEntry, len(initialWhitelist))
-
-	copy(tmpInitial, initialWhitelist)
-	defer func() {
-		initialWhitelist = tmpInitial
-	}()
-
-	AddToWhitelist("/var/run")
-
-	err = DetectFilesystemWhitelist(path)
-	expectedWhitelist = append(expectedWhitelist,
-		WhitelistEntry{"/var/run", false})
-
-	actualWhitelist = whitelist
-	sort.Slice(actualWhitelist, func(i, j int) bool {
-		return actualWhitelist[i].Path < actualWhitelist[j].Path
-	})
-	sort.Slice(expectedWhitelist, func(i, j int) bool {
-		return expectedWhitelist[i].Path < expectedWhitelist[j].Path
-	})
-	testutil.CheckErrorAndDeepEqual(t, false, err, expectedWhitelist, actualWhitelist)
 }
 
 var tests = []struct {