driver: set network.host entitlement by default for container drivers

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
docker · Feb 21, 2024 · ae3436e · ae3436e
1 parent 481384b
commit ae3436e
Show file tree

Hide file tree

Showing 4 changed files with 145 additions and 9 deletions.
diff --git a/builder/builder.go b/builder/builder.go
@@ -26,6 +26,7 @@ import (
 	"github.com/google/shlex"
 	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/pkg/errors"
+	"github.com/spf13/pflag"
 	"golang.org/x/sync/errgroup"
 )
 
@@ -429,12 +430,9 @@ func Create(ctx context.Context, txn *store.Txn, dockerCli command.Cli, opts Cre
 		}
 	}
 
-	var flags []string
-	if opts.Flags != "" {
-		flags, err = shlex.Split(opts.Flags)
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to parse buildkit flags")
-		}
+	flags, err := parseBuildkitFlags(opts.Flags, driverName)
+	if err != nil {
+		return nil, err
 	}
 
 	var ep string
@@ -642,3 +640,37 @@ func validateBuildkitEndpoint(ep string) (string, error) {
 	}
 	return ep, nil
 }
+
+// parseBuildkitFlags parses buildkit flags
+func parseBuildkitFlags(inp string, driver string) (res []string, err error) {
+	if inp != "" {
+		res, err = shlex.Split(inp)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to parse buildkit flags")
+		}
+	}
+
+	if driver == "kubernetes" || driver == "docker-container" {
+		var allowInsecureEntitlements []string
+		flags := pflag.NewFlagSet("buildkitd", pflag.ContinueOnError)
+		flags.Usage = func() {}
+		flags.StringArrayVar(&allowInsecureEntitlements, "allow-insecure-entitlement", nil, "")
+		_ = flags.Parse(res)
+
+		var hasNetworkHostEntitlement bool
+		for _, e := range allowInsecureEntitlements {
+			if e == "network.host" {
+				hasNetworkHostEntitlement = true
+				break
+			}
+		}
+
+		if !hasNetworkHostEntitlement {
+			// always set network.host entitlement as container network is
+			// isolated for docker-container and kubernetes drivers
+			res = append(res, "--allow-insecure-entitlement=network.host")
+		}
+	}
+
+	return res, nil
+}
diff --git a/builder/builder_test.go b/builder/builder_test.go
@@ -3,6 +3,7 @@ package builder
 import (
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -24,3 +25,78 @@ func TestCsvToMap(t *testing.T) {
 	require.Contains(t, r, "namespace")
 	require.Equal(t, r["namespace"], "default")
 }
+
+func TestParseBuildkitFlags(t *testing.T) {
+	testCases := []struct {
+		name     string
+		flags    string
+		driver   string
+		expected []string
+		wantErr  bool
+	}{
+		{
+			"docker-container no flags",
+			"",
+			"docker-container",
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"kubernetes no flags",
+			"",
+			"kubernetes",
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"remote no flags",
+			"",
+			"remote",
+			nil,
+			false,
+		},
+		{
+			"docker-container with insecure flag",
+			"--allow-insecure-entitlement=security.insecure",
+			"docker-container",
+			[]string{
+				"--allow-insecure-entitlement=security.insecure",
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"docker-container with insecure and host flag",
+			"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
+			"docker-container",
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+				"--allow-insecure-entitlement=security.insecure",
+			},
+			false,
+		},
+		{
+			"error parsing flags",
+			"foo'",
+			"docker-container",
+			nil,
+			true,
+		},
+	}
+	for _, tt := range testCases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			flags, err := parseBuildkitFlags(tt.flags, tt.driver)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, flags)
+		})
+	}
+}
diff --git a/driver/docker-container/factory.go b/driver/docker-container/factory.go
@@ -55,9 +55,6 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 		switch {
 		case k == "network":
 			d.netMode = v
-			if v == "host" {
-				d.InitConfig.BuildkitFlags = append(d.InitConfig.BuildkitFlags, "--allow-insecure-entitlement=network.host")
-			}
 		case k == "image":
 			d.image = v
 		case k == "memory":

diff --git a/tests/inspect.go b/tests/inspect.go
@@ -17,6 +17,7 @@ func inspectCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {
 
 var inspectTests = []func(t *testing.T, sb integration.Sandbox){
 	testInspect,
+	testInspectBuildKitFlags,
 }
 
 func testInspect(t *testing.T, sb integration.Sandbox) {
@@ -47,3 +48,33 @@ func testInspect(t *testing.T, sb integration.Sandbox) {
 		require.Empty(t, hostGatewayIP, "host-gateway-ip worker label should not be set with non-docker driver")
 	}
 }
+
+func testInspectBuildKitFlags(t *testing.T, sb integration.Sandbox) {
+	if sb.Name() != "docker-container" {
+		t.Skip("only testing for docker-container driver")
+	}
+
+	var builderName string
+	t.Cleanup(func() {
+		if builderName == "" {
+			return
+		}
+		out, err := rmCmd(sb, withArgs(builderName))
+		require.NoError(t, err, out)
+	})
+
+	out, err := createCmd(sb, withArgs("--driver", "docker-container"))
+	require.NoError(t, err, out)
+	builderName = strings.TrimSpace(out)
+
+	out, err = inspectCmd(sb, withArgs(builderName))
+	require.NoError(t, err, out)
+
+	for _, line := range strings.Split(out, "\n") {
+		if v, ok := strings.CutPrefix(line, "Flags:"); ok {
+			require.Contains(t, v, "--allow-insecure-entitlement=network.host")
+			return
+		}
+	}
+	require.Fail(t, "network.host insecure entitlement not found in inspect output")
+}