bake: make FS entitlements error by default

Change FS entitlements checks from warning to error by default as expressed in initial PR. Users can still opt-out with environment variable if the choose to. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
docker · Dec 20, 2024 · 6123f1f · 6123f1f
1 parent 5c5bc51
commit 6123f1f
Showing 1 changed file with 4 additions and 6 deletions.
diff --git a/bake/entitlements.go b/bake/entitlements.go
@@ -257,16 +257,14 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write
 		fmt.Fprintf(out, "%s %s %s\n\n", strings.Join(args[:idx+1], " "), strings.Join(slices.Concat(flags, flagsFS), " "), strings.Join(args[idx+1:], " "))
 	}
 
-	fsEntitlementsEnabled := false
+	fsEntitlementsEnabled := true
 	if isRemote {
 		if v, ok := os.LookupEnv("BAKE_ALLOW_REMOTE_FS_ACCESS"); ok {
 			vv, err := strconv.ParseBool(v)
 			if err != nil {
 				return errors.Wrapf(err, "failed to parse BAKE_ALLOW_REMOTE_FS_ACCESS value %q", v)
 			}
 			fsEntitlementsEnabled = !vv
-		} else {
-			fsEntitlementsEnabled = true
 		}
 	}
 	v, fsEntitlementsSet := os.LookupEnv("BUILDX_BAKE_ENTITLEMENTS_FS")
@@ -279,11 +277,11 @@ func (c EntitlementConf) Prompt(ctx context.Context, isRemote bool, out io.Write
 	}
 
 	if !fsEntitlementsEnabled && len(msgs) == 0 {
-		if !fsEntitlementsSet {
-			fmt.Fprintf(out, "This warning will become an error in a future release. To enable filesystem entitlements checks at the moment, set BUILDX_BAKE_ENTITLEMENTS_FS=1 .\n\n")
-		}
 		return nil
 	}
+	if fsEntitlementsEnabled && !fsEntitlementsSet {
+		fmt.Fprintf(out, "To disable filesystem entitlements checks, you can set BUILDX_BAKE_ENTITLEMENTS_FS=0 .\n\n")
+	}
 
 	if term {
 		fmt.Fprintf(out, "Do you want to grant requested privileges and continue? [y/N] ")