buildkit
buildkit copied to clipboard
moby
buildkitd: Frontend restriction support
This commit adds buildkitd configuration options allowed-frontends and allowed-gateway-source. These options enable restricting the allowed frontends or gateways sources to enforce local policy.
If allowed-frontends is empty (the default), all frontends (e.g, "dockerfile.v0" and "gateway.v0") are allowed. Otherwise, only those listed are allowed
If allowed-gateway-sources is empty (the default), all gateway sources are allowed. Otherwise, only sources that match the patterns in this list will be allowed. Patterns are matched using https://pkg.go.dev/github.com/moby/buildkit/util/wildcard. Note that implicit references to docker.io should not be used in the patterns since matching occurs on a fully expanded image name (for example "docker/dockerfile" expands to "docker.io/docker/dockerfile").
What's the use case behind this change? Frontends run in sandbox so there shouldn't be a security difference in the context of access to host.
Hi Tõnis. At Wikimedia Foundation we have a policy that container images running in production must be built using a specific frontend which enforces consistent image build patterns and policies. We use this change to make sure that frontend it used.
For gateway sources, we already have a policy rules support for restricting access to specific sources.
I'm more than happy to use existing functionality. Can you point me to the documentation on this subject?
The difference in policy and this is that policy is set with the top build request, not with daemon config. https://github.com/moby/buildkit/blob/master/docs/build-repro.md#build-reproducibility https://github.com/moby/buildkit/pull/3332
Not against config option for such specific use case. I wonder though if we should add more structure to the config fields rather than adding new global keys. Smth like:
Frontends struct {
Gateway GatewayFrontendConfig `toml:"gateway"`
} `toml:"frontend"`
type GatewayFrontendConfig struct {
Disabled bool
AllowedSources []string
}
@tonistiigi
Something like this?
...
# Frontend control
[frontend."dockerfile.v0"]
enabled = true
[frontend."gateway.v0"]
enabled = true
# If allowedSources is empty, all gateway sources are allowed.
# Otherwise, only sources that match the patterns in this list will
# be allowed.
#
# NOTES:
# * Only the image name (without tag) is compared.
# * Patterns are matched using <https://pkg.go.dev/github.com/moby/buildkit/util/wildcard>.
# * Implicit references to docker.io should not be used in
# the patterns since matching occurs on a fully expanded image name
# (for example "docker/dockerfile" expands to "docker.io/docker/dockerfile").
#
# Example:
# allowedSources = [ "docker-registry.wikimedia.org/repos/releng/blubber/buildkit" ]
allowedSources = []
@dancysoft Yeah, but maybe enabled -> disabled to make the zero value the default.
@AkihiroSuda wdyt?
@dancysoft Yeah, but maybe enabled -> disabled to make the zero value the default.
If you don't have a strong preference, I would like to use enabled (defaulting to true) for consistency with the worker.oci and worker.containerd sections in the example buildkitd.toml:
...
[worker.oci]
enabled = true
...
[worker.containerd]
address = "/run/containerd/containerd.sock"
enabled = true
...
I understand that I'll have to write code to handle this.
I don't think the most recent test failure is caused by my changes: https://github.com/moby/buildkit/actions/runs/9019916817/job/24784047347?pr=4899
== Failed
=== FAIL: client TestIntegration (0.35s)
run.go:165:
Error Trace: /src/util/testutil/integration/run.go:165
/src/client/client_test.go:236
/src/client/client_test.go:225
Error: Received unexpected error:
unexpected status from HEAD request to https://registry-1.docker.io/v2/cpuguy83/buildkit-foreign/manifests/latest: 503 Service Unavailable
Test: TestIntegration