@@ -15,7 +15,7 @@ Build from a file
1515
1616| Name | Type | Default | Description |
1717| :------------------------------------| :--------------| :--------| :----------------------------------------------------------------------------------------------------|
18- | ` --allow ` | ` stringArray ` | | Allow build to access specified resources |
18+ | [ ` --allow ` ] ( #allow ) | ` stringArray ` | | Allow build to access specified resources |
1919| [ ` --builder ` ] ( #builder ) | ` string ` | | Override the configured builder instance |
2020| [ ` --call ` ] ( #call ) | ` string ` | ` build ` | Set method for evaluating build (` check ` , ` outline ` , ` targets ` ) |
2121| [ ` --check ` ] ( #check ) | ` bool ` | | Shorthand for ` --call=check ` |
@@ -50,6 +50,80 @@ guide for introduction to writing bake files.
5050
5151## Examples
5252
53+ ### <a name =" allow " ></a > Allow extra privileged entitlement (--allow)
54+
55+ ``` text
56+ --allow=ENTITLEMENT[=VALUE]
57+ ```
58+
59+ Entitlements are designed to provide controlled access to privileged
60+ operations. By default, Buildx and BuildKit operates with restricted
61+ permissions to protect users and their systems from unintended side effects or
62+ security risks. The ` --allow ` flag explicitly grants access to additional
63+ entitlements, making it clear when a build or bake operation requires elevated
64+ privileges.
65+
66+ In addition to BuildKit's ` network.host ` and ` security.insecure ` entitlements
67+ (see [ ` docker buildx build --allow ` ] ( https://docs.docker.com/reference/cli/docker/buildx/build/#allow ) ,
68+ Bake supports file system entitlements that grant granular control over file
69+ system access. These are particularly useful when working with builds that need
70+ access to files outside the default working directory.
71+
72+ Bake supports the following filesystem entitlements:
73+
74+ - ` --allow fs=<path|*> ` - Grant read and write access to files outside of the
75+ working directory.
76+ - ` --allow fs.read=<path|*> ` - Grant read access to files outside of the
77+ working directory.
78+ - ` --allow fs.write=<path|*> ` - Grant write access to files outside of the
79+ working directory.
80+
81+ The ` fs ` entitlements take a path value (relative or absolute) to a directory
82+ on the filesystem. Alternatively, you can pass a wildcard (` * ` ) to allow Bake
83+ to access the entire filesystem.
84+
85+ ### Example: fs.read
86+
87+ Given the following Bake configuration, Bake would need to access the parent
88+ directory, relative to the Bake file.
89+
90+ ``` hcl
91+ target "app" {
92+ context = "../src"
93+ }
94+ ```
95+
96+ Assuming ` docker buildx bake app ` is executed in the same directory as the
97+ ` docker-bake.hcl ` file, you would need to explicitly allow Bake to read from
98+ the ` ../src ` directory. In this case, the following invocations all work:
99+
100+ ``` console
101+ $ docker buildx bake --allow fs.read=* app
102+ $ docker buildx bake --allow fs.read=../src app
103+ $ docker buildx bake --allow fs=* app
104+ ```
105+
106+ ### Example: fs.write
107+
108+ The following ` docker-bake.hcl ` file requires write access to the ` /tmp `
109+ directory.
110+
111+ ``` hcl
112+ target "app" {
113+ output = "/tmp"
114+ }
115+ ```
116+
117+ Assuming ` docker buildx bake app ` is executed outside of the ` /tmp ` directory,
118+ you would need to allow the ` fs.write ` entitlement, either by specifying the
119+ path or using a wildcard:
120+
121+ ``` console
122+ $ docker buildx bake --allow fs=/tmp app
123+ $ docker buildx bake --allow fs.write=/tmp app
124+ $ docker buildx bake --allow fs.write=* app
125+ ```
126+
53127### <a name =" builder " ></a > Override the configured builder instance (--builder)
54128
55129Same as [ ` buildx --builder ` ] ( buildx.md#builder ) .
0 commit comments