-
Notifications
You must be signed in to change notification settings - Fork 482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bake: enable support for entitlements #2666
Conversation
const ( | ||
EntitlementKeyNetworkHost EntitlementKey = "network.host" | ||
EntitlementKeySecurityInsecure EntitlementKey = "security.insecure" | ||
EntitlementKeyFSRead EntitlementKey = "fs.read" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even though these additional entitlements are defined here, the current PR does not perform any validation for them yet.
51cc529
to
5854b67
Compare
While the
Additionally, I guess we now want to expose |
Add support for security.insecure and network.host entitlements via bake. User needs to confirm elevated privileges through a prompt or CLI flags. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
5854b67
to
203fd8a
Compare
I think this is fine looking at the recommendation printed during build.
Yes we need that |
bake/entitlements.go
Outdated
} | ||
|
||
args := append([]string(nil), os.Args...) | ||
if filepath.Base(args[0]) == "docker-buildx" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the idea is to check if buildx runs as docker plugin, then it would be better to check for !plugin.RunningStandalone()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't quite it. It is because when docker
invokes the command then the arg is always docker-buildx
so we shouldn't just replace it based on any command name.
But I now see that there is DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND
. I'll see if I can reuse it for this.
@dvdksn Seems a docs link is broken: https://github.com/docker/buildx/actions/runs/10636095098/job/29487219028?pr=2666#step:6:467
|
@crazy-max let me fix those in a follow-up |
I'm not sure what this error is about. |
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Looks like the docs thing went away. Green now. |
Yes this has been sorted with #2652 |
Needs follow-up on actions-toolkit repo https://github.com/docker/actions-toolkit/blob/38d1dce1ff8cfbf9c74491fd4bc3df0ca9b66b77/src/types/buildx/bake.ts#L26 |
Ref #179
Add support for
security.insecure
andnetwork.host
entitlements via bake. User needs to confirm elevated privileges through a prompt or CLI flags.