GoogleContainerTools
Build arg value not included in the Docker image history
I noticed that Kaniko does not include build arg values in the Docker image history while docker build does.
This is a minimal example:
-
A simple
Dockerfile:FROM alpine:latest ARG TOKEN RUN echo "$TOKEN" > token.txt \ # Do something with the token && rm token.txt -
Build the Docker image ...
-
... with Docker:
$ docker build --build-arg TOKEN=t0k3n -t test:docker . -
... with Kaniko:
$ /kaniko/executor \ --context /path/to/context \ --dockerfile /path/to/context/Dockerfile \ --destination test:kaniko \ --build-arg TOKEN=t0k3n
-
-
Check the Docker image history ...
-
... of the Docker-based image:
$ docker history test:docker IMAGE CREATED CREATED BY SIZE COMMENT c2e78d4bb3ca 6 seconds ago |1 TOKEN=t0k3n /bin/sh -c echo "$TOKEN" > to… 0B 4d7c543079e9 7 seconds ago /bin/sh -c #(nop) ARG TOKEN 0B a24bb4013296 3 weeks ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B <missing> 3 weeks ago /bin/sh -c #(nop) ADD file:c92c248239f8c7b9b… 5.57MB -
... of the Kaniko-based image:
$ docker history test:kaniko IMAGE CREATED CREATED BY SIZE COMMENT 996a9e52fa25 292 years ago RUN echo "$TOKEN" > token.txt && rm token.t… 0B <missing> 3 weeks ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0B <missing> 3 weeks ago /bin/sh -c #(nop) ADD file:c92c248239f8c7b9b… 5.57MB
-
Docker introduced a new --secret flag in Docker 18.09 (when BuildKit is enabled) for first-class support of Docker build secrets: https://docs.docker.com/develop/develop-images/build_enhancements/
I wonder
- whether Kaniko's behavior is intended and
- whether Kaniko should support Docker build secrets.
Incidentally for anyone looking into this: for a few build-arg names that you might try, standard docker build won't save them in the docker history.
https://docs.docker.com/engine/reference/builder/#predefined-args
(Everyone knows that, but I didn't know that, and it confused me when looking into this.)
Hey @dHannasch that is very handy to know, I'm now passing a token via NO_PROXY to git until Kaniko has added a way of passing secrets into the build-job. I see that the history/ARG behavior is different for Kaniko, but using NO_PROXY will avoid developers accidentally having their tokens in the history when working on their local machine.
Just double checking here - is this an intended feature?
I saw that BuildKit is doing something similar but more specific using a --secret argument https://docs.docker.com/develop/develop-images/build_enhancements/#new-docker-build-secret-information
If --build-arg is behaving as stated above then I'd say it's enough security wise, however it might be better to be more explicit same as BuildKit does.
What do you think?
Also curious about whether this behavior is intentional! I'm happy it's working this way (kaniko keeping the build args out of the image history), but would like to know that this won't change in the future, or that there is an explicit way to ensure this behavior.
Compared to the trick of mounting secrets in /kaniko ( e.g. #489 ) we really prefer passing them as args or more explicitly with a --secret flag (Buildkit). Would be great to have the assurance that this behavior is intended and will stay as it is so we can rely on it.
