From 30a1fd7d6670f5b6c85a7f160d41e5e90dd6364f Mon Sep 17 00:00:00 2001
From: Xavier Claude <contact@xavierclaude.be>
Date: Tue, 22 Mar 2022 14:35:12 +0100
Subject: [PATCH 1/2] Fix the /kaniko directory permissions in container

Create /kaniko directory with world permission to allow the creation of
sub directories by any user when the executor is run as non root. This
can lower the security but shouldn't have any impact in a container.

The tar unpack is the only way I found to have a directory with specific
permission as the image is created from "scratch" which doesn't have any
tool to change the permission otherwise.

Fixes #1363
---
 deploy/Dockerfile |   2 ++
 files/kaniko.tar  | Bin 0 -> 10240 bytes
 2 files changed, 2 insertions(+)
 create mode 100644 files/kaniko.tar

diff --git a/deploy/Dockerfile b/deploy/Dockerfile
index 93f63705c8..840b702d3c 100644
--- a/deploy/Dockerfile
+++ b/deploy/Dockerfile
@@ -50,6 +50,8 @@ RUN \
   cat /etc/ssl/certs/* > /ca-certificates.crt
 
 FROM scratch
+# Create kaniko directory with world write permission to allow non root run
+ADD files/kaniko.tar /
 COPY --from=0 /src/out/executor /kaniko/executor
 COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
 COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login
diff --git a/files/kaniko.tar b/files/kaniko.tar
new file mode 100644
index 0000000000000000000000000000000000000000..ac9a76453687d793bf996a16726b4d379c42b436
GIT binary patch
literal 10240
zcmeIuK?=hl00cmv;t#5|iSNm=1S+J-|C1JSDS@86&0ZE(6q$K?J?C}{J(G^qTEnN0
z{PuUtk9!_VNo5#A$~l!9;?VO`=iA$Rot7BG(%O1%SN-q&>W+;70RjXF5FkK+009C7
j2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXFbQ0JB#N!fd

literal 0
HcmV?d00001


From ac0326a52d822f515547fa72c5dc2f3907e9878b Mon Sep 17 00:00:00 2001
From: Xavier Claude <contact@xavierclaude.be>
Date: Tue, 22 Mar 2022 15:36:34 +0100
Subject: [PATCH 2/2] Avoid blackbox tar file creation

Use the Makefile to create the tar file use to create kaniko directory
in scratch container. This avoid having a "blackbox" binary file with
the empty directory.
---
 Makefile         |   9 ++++++++-
 files/kaniko.tar | Bin 10240 -> 0 bytes
 2 files changed, 8 insertions(+), 1 deletion(-)
 delete mode 100644 files/kaniko.tar

diff --git a/Makefile b/Makefile
index 469bf5f5bd..779a3e842d 100644
--- a/Makefile
+++ b/Makefile
@@ -92,9 +92,16 @@ k8s-executor-build-push:
 	DOCKER_BUILDKIT=1 docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:latest -f deploy/Dockerfile .
 	docker push $(REGISTRY)/executor:latest
 
+files/kaniko:
+	mkdir files/kaniko
+
+files/kaniko.tar: files/kaniko
+	chmod 777 files/kaniko
+	cd files && tar cf kaniko.tar kaniko
+
 .PHONY: images
 images: DOCKER_BUILDKIT=1
-images:
+images: files/kaniko.tar
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:latest -f deploy/Dockerfile .
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:debug -f deploy/Dockerfile_debug .
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:slim -f deploy/Dockerfile_slim .
diff --git a/files/kaniko.tar b/files/kaniko.tar
deleted file mode 100644
index ac9a76453687d793bf996a16726b4d379c42b436..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 10240
zcmeIuK?=hl00cmv;t#5|iSNm=1S+J-|C1JSDS@86&0ZE(6q$K?J?C}{J(G^qTEnN0
z{PuUtk9!_VNo5#A$~l!9;?VO`=iA$Rot7BG(%O1%SN-q&>W+;70RjXF5FkK+009C7
j2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXFbQ0JB#N!fd