From ce74774c096b1abcf872b45a3aa15c08120ff0c7 Mon Sep 17 00:00:00 2001
From: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
Date: Fri, 26 Apr 2019 15:04:34 +0900
Subject: [PATCH] builder entitlements configutation added.

buildkit supports entitlements like network-host and security-insecure.
this patch aims to make it configurable through daemon.json file.
by default network-host is enabled & secuirty-insecure is disabled.

Signed-off-by: Kunal Kushwaha <kunal.kushwaha@gmail.com>
(cherry picked from commit 8b7bbf180fc65013bc9ec0269b4a475d3eb038ee)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 builder/builder-next/controller.go | 17 +++++++++++++----
 daemon/config/builder.go           |  9 ++++++++-
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/builder/builder-next/controller.go b/builder/builder-next/controller.go
index e740a76583..62a6f09767 100644
--- a/builder/builder-next/controller.go
+++ b/builder/builder-next/controller.go
@@ -195,10 +195,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {
 		ResolveCacheExporterFuncs: map[string]remotecache.ResolveCacheExporterFunc{
 			"inline": inlineremotecache.ResolveCacheExporterFunc(),
 		},
-		Entitlements: []string{
-			string(entitlements.EntitlementNetworkHost),
-			// string(entitlements.EntitlementSecurityInsecure),
-		},
+		Entitlements: getEntitlements(opt.BuilderConfig),
 	})
 }
 
@@ -254,3 +251,15 @@ func parsePlatforms(platformsStr []string) ([]specs.Platform, error) {
 	}
 	return out, nil
 }
+
+func getEntitlements(conf config.BuilderConfig) []string {
+	var ents []string
+	// Incase of no config settings, NetworkHost should be enabled & SecurityInsecure must be disabled.
+	if conf.Entitlements.NetworkHost == nil || *conf.Entitlements.NetworkHost {
+		ents = append(ents, string(entitlements.EntitlementNetworkHost))
+	}
+	if conf.Entitlements.SecurityInsecure != nil && *conf.Entitlements.SecurityInsecure {
+		ents = append(ents, string(entitlements.EntitlementSecurityInsecure))
+	}
+	return ents
+}
diff --git a/daemon/config/builder.go b/daemon/config/builder.go
index ac85e76b30..cdb33c4da3 100644
--- a/daemon/config/builder.go
+++ b/daemon/config/builder.go
@@ -16,7 +16,14 @@ type BuilderGCConfig struct {
 	DefaultKeepStorage string          `json:",omitempty"`
 }
 
+// BuilderEntitlements contains settings to enable/disable entitlements
+type BuilderEntitlements struct {
+	NetworkHost      *bool `json:"network-host,omitempty"`
+	SecurityInsecure *bool `json:"security-insecure,omitempty"`
+}
+
 // BuilderConfig contains config for the builder
 type BuilderConfig struct {
-	GC BuilderGCConfig `json:",omitempty"`
+	GC           BuilderGCConfig     `json:",omitempty"`
+	Entitlements BuilderEntitlements `json:",omitempty"`
 }