Accessing build arguments in FROM statements leads to incorrect cache lookups in multi-stage-builds

[lntzr]

Actual behavior

It seems that the cache key generation is based on the the name of the base image and not on its content. That is problematic when using build-variables to control the base image being used within a multi-stage build since it might lead to the wrong output due to incorrect cache lookups.

Expected behavior Rebuilding the same dockerfile with different build arguments should always result in the correct output independently of whether a cache is used or not. Usage of build-arguments within FROM should lead to a different hash-key when the build argument changes.

To Reproduce Steps to reproduce the behavior:

1. build the Dockerfile below with --build-arg ID=0 --cache

2. rebuild the same Dockerfile with --build-arg ID=1 --cache

Expectation: The last RUN should be re-executed since the base image is a different one Reality: The last RUN is retrieved from the cache

Additional Information

• Dockerfile

ARG ID

FROM busybox:1.35.0 as parent0
RUN echo 0 > id

FROM busybox:1.35.0 as parent1
RUN echo 1 > id

FROM parent$ID as parent

FROM parent
RUN echo "executing RUN with data from parent $(cat id)"

• Build Context empty
• Kaniko Image (fully qualified with digest) gcr.io/kaniko-project/executor:v1.8.1-debug sha256:3bc3f3a05f803cac29164ce12617a7be64931748c944f6c419565f500b65e8db
• Workaround Explicitly enforcing an incorporation of the build argument into the cache key by adding ARG ID before the last RUN resolves the situation in the provided example but might not be suitable for more complex Dockerfiles.
• Related Issues https://github.com/GoogleContainerTools/kaniko/issues/2061

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing	- [ ]
Please check if the build works in docker but not in kaniko	- [X]
Please check if this error is seen when you use --cache flag	- [X]
Please check if your dockerfile is a multistage dockerfile	- [X]