driver: set network.host entitlement by default for container drivers

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2025-07-12 06:27:07 +08:00 · 2024-02-21 11:29:44 +01:00
parent fd11d93381
commit e008b846bb
4 changed files with 188 additions and 14 deletions
--- a/builder/builder_test.go
+++ b/builder/builder_test.go
@ -3,6 +3,7 @@ package builder
 import (
 	"testing"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

@ -24,3 +25,115 @@ func TestCsvToMap(t *testing.T) {
 	require.Contains(t, r, "namespace")
 	require.Equal(t, r["namespace"], "default")
 }
+
+func TestParseBuildkitdFlags(t *testing.T) {
+	testCases := []struct {
+		name       string
+		flags      string
+		driver     string
+		driverOpts map[string]string
+		expected   []string
+		wantErr    bool
+	}{
+		{
+			"docker-container no flags",
+			"",
+			"docker-container",
+			nil,
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"kubernetes no flags",
+			"",
+			"kubernetes",
+			nil,
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"remote no flags",
+			"",
+			"remote",
+			nil,
+			nil,
+			false,
+		},
+		{
+			"docker-container with insecure flag",
+			"--allow-insecure-entitlement=security.insecure",
+			"docker-container",
+			nil,
+			[]string{
+				"--allow-insecure-entitlement=security.insecure",
+			},
+			false,
+		},
+		{
+			"docker-container with insecure and host flag",
+			"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
+			"docker-container",
+			nil,
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+				"--allow-insecure-entitlement=security.insecure",
+			},
+			false,
+		},
+		{
+			"docker-container with network host opt",
+			"",
+			"docker-container",
+			map[string]string{"network": "host"},
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"docker-container with host flag and network host opt",
+			"--allow-insecure-entitlement=network.host",
+			"docker-container",
+			map[string]string{"network": "host"},
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+			},
+			false,
+		},
+		{
+			"docker-container with insecure, host flag and network host opt",
+			"--allow-insecure-entitlement=network.host --allow-insecure-entitlement=security.insecure",
+			"docker-container",
+			map[string]string{"network": "host"},
+			[]string{
+				"--allow-insecure-entitlement=network.host",
+				"--allow-insecure-entitlement=security.insecure",
+			},
+			false,
+		},
+		{
+			"error parsing flags",
+			"foo'",
+			"docker-container",
+			nil,
+			nil,
+			true,
+		},
+	}
+	for _, tt := range testCases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			flags, err := parseBuildkitdFlags(tt.flags, tt.driver, tt.driverOpts)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.expected, flags)
+		})
+	}
+}