Fix the /kaniko directory permissions in container

[claudex]

Fixes #1363

Description

Create /kaniko directory with world permission to allow the creation of
sub directories by any user when the executor is run as non root. This
can lower the security but shouldn't have any impact in a container.

The tar unpack is the only way I found to have a directory with specific
permission as the image is created from "scratch" which doesn't have any
tool to change the permission otherwise.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes unit tests
  The container build will fail if there is an issue with the change
• Adds integration tests if needed.
  The container build will fail if there is an issue with the change

See the contribution guide for more details.

Reviewer Notes

• The code flow looks good.
• Unit tests and or integration tests added.

Release Notes

Examples of user facing changes:
- kaniko executor container can run as non root

[imjasonh]

How is kaniko.tar generated? I'm not comfortable having such an opaque file in this repo that we can't regenerate, or generate on-demand.

As an alternative to unpacking kaniko.tar into the FROM scratch image, can we set its ownership bits in previous build stages and copy them over in the final stage?

Also, ideally this kind of change would include some kind of test, or even manual testing instructions, to demonstrate that it works as intended. An automated test is ideal because we can run it on future changes to ensure they don't undo this behavior.

[claudex]

How is kaniko.tar generated? I'm not comfortable having such an opaque file in this repo that we can't regenerate, or generate on-demand.

Yes, sorry, I forgot to add it, it's just an tar from an empty directory. I will add a new commit with the file creation in the makefile.

As an alternative to unpacking kaniko.tar into the FROM scratch image, can we set its ownership bits in previous build stages and copy them over in the final stage?

I'm not an expert in docker, but I've tested it and it doesn't keep the permission. Maybe I've done it wrong.

Also, ideally this kind of change would include some kind of test, or even manual testing instructions, to demonstrate that it works as intended. An automated test is ideal because we can run it on future changes to ensure they don't undo this behavior.

I didn't find any automated test with the image creation to inspire me :) Do you have a link to an example where I can change the user ?

[Carus11]

For what its worth, I built an image with these changes and can confirm it fixed the specific issue about /kaniko permissions so that one wont see that error message when trying to use a different user when running the container.

[hown3d]

I'm not really happy about this change since it broke every build outside of make:

• integration builds are broken, because files/kaniko.tar is not created in the integration test kaniko builds
  • Example Build: https://github.com/GoogleContainerTools/kaniko/runs/7091356926?check_suite_focus=true
• ci builds are broken, because those are run with docker buildx directly instead of the Makefile -> files/kaniko.tar is not available
  • Example Build: https://github.com/GoogleContainerTools/kaniko/runs/7091322747?check_suite_focus=true