Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove sensetive data from the build context #1861

Open
kvaps opened this issue Dec 26, 2021 · 0 comments · May be fixed by #1862
Open

Remove sensetive data from the build context #1861

kvaps opened this issue Dec 26, 2021 · 0 comments · May be fixed by #1862
Labels
area/filesystems For all bugs related to kaniko container filesystems (mounting issues etc) area/security categorized differs-from-docker issue/files-mounted-unexpectedly issue/sensitive-data kind/enhancement New feature or request priority/p0 Highest priority. Break user flow. We are actively looking at delivering it. priority/p1 Basic need feature compatibility with docker build. we should be working on this next.

Comments

@kvaps
Copy link
Contributor

kvaps commented Dec 26, 2021

Actual behavior
Currently user can get access to the docker config and gcr keys from the build context.
I think it would be much better and safer to avoid doing this.

Expected behavior

  • If DOCKER_CONFIG is not a mountpoint, and does not containing other mountpoints, preserve the content into RAM before starting the build
  • Build the image using the standard way
  • Before the pushing the image unpack content back into DOCKER_CONFIG location.

To Reproduce

Try building following Dockerfile:

Additional Information

  • Dockerfile

    FROM alpine:3.12
RUN cat /kaniko/.docker/config.json

  • Build Context
    Any context when you need to push the image to the registry

  • Kaniko Image

    gcr.io/kaniko-project/executor:v1.7.0

Triage Notes for the Maintainers

Description Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile
@kvaps kvaps linked a pull request Dec 26, 2021 that will close this issue
Draft
4 tasks
@aaron-prindle aaron-prindle added area/security area/filesystems For all bugs related to kaniko container filesystems (mounting issues etc) kind/enhancement New feature or request differs-from-docker priority/p0 Highest priority. Break user flow. We are actively looking at delivering it. priority/p1 Basic need feature compatibility with docker build. we should be working on this next. issue/sensitive-data issue/files-mounted-unexpectedly categorized labels Jun 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/filesystems For all bugs related to kaniko container filesystems (mounting issues etc) area/security categorized differs-from-docker issue/files-mounted-unexpectedly issue/sensitive-data kind/enhancement New feature or request priority/p0 Highest priority. Break user flow. We are actively looking at delivering it. priority/p1 Basic need feature compatibility with docker build. we should be working on this next.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Preserve sensetive data from the build context kvaps/kaniko
2 participants
@aaron-prindle @kvaps