Fix the /kaniko directory permissions in container (#2009)

* Fix the /kaniko directory permissions in container

Create /kaniko directory with world permission to allow the creation of
sub directories by any user when the executor is run as non root. This
can lower the security but shouldn't have any impact in a container.

The tar unpack is the only way I found to have a directory with specific
permission as the image is created from "scratch" which doesn't have any
tool to change the permission otherwise.

Fixes #1363

* Avoid blackbox tar file creation

Use the Makefile to create the tar file use to create kaniko directory
in scratch container. This avoid having a "blackbox" binary file with
the empty directory.

Makefile

@@ -92,9 +92,16 @@ k8s-executor-build-push:
 	DOCKER_BUILDKIT=1 docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:latest -f deploy/Dockerfile .
 	docker push $(REGISTRY)/executor:latest
 
+files/kaniko:
+	mkdir files/kaniko
+
+files/kaniko.tar: files/kaniko
+	chmod 777 files/kaniko
+	cd files && tar cf kaniko.tar kaniko
+
 .PHONY: images
 images: DOCKER_BUILDKIT=1
-images:
+images: files/kaniko.tar
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:latest -f deploy/Dockerfile .
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:debug -f deploy/Dockerfile_debug .
 	docker build ${BUILD_ARG} --build-arg=GOARCH=$(GOARCH) -t $(REGISTRY)/executor:slim -f deploy/Dockerfile_slim .

deploy/Dockerfile

@@ -45,6 +45,8 @@ FROM debian:bullseye-slim AS certs
 RUN apt update && apt install -y ca-certificates
 
 FROM scratch
+# Create kaniko directory with world write permission to allow non root run
+ADD files/kaniko.tar /
 COPY --from=0 /src/out/executor /kaniko/executor
 COPY --from=0 /usr/local/bin/docker-credential-gcr /kaniko/docker-credential-gcr
 COPY --from=0 /usr/local/bin/docker-credential-ecr-login /kaniko/docker-credential-ecr-login