mz507: stop propagating base image annotations

mzihlmann · mzihlmann · commit 0762fce08b89 · 2026-03-06T22:46:05.000Z
Kaniko propagates OCI manifest annotations from the base image forwards.
This became visible when updating to Docker 29.0.0, which switched to the containerd
image store by default. The containerd store preserves OCI manifest
annotations when pulling images, so we started noticing the difference with the upgrade, but it pre-existed.

We added FF_KANIKO_NO_PROPAGATE_ANNOTATIONS to strip base image annotations
from the output manifest, matching Docker behaviour.
diff --git a/README.md b/README.md
@@ -129,6 +129,7 @@ expect - see [Known Issues](#known-issues).
       - [Flag `FF_KANIKO_RUN_VIA_TINI`](#flag-ff_kaniko_run_via_tini)
       - [Flag `FF_KANIKO_COPY_CHMOD_ON_IMPLICIT_DIRS`](#flag-ff_kaniko_copy_chmod_on_implicit_dirs)
       - [Flag `FF_KANIKO_CLEAN_KANIKO_DIR`](#flag-ff_kaniko_clean_kaniko_dir)
+      - [Flag `FF_KANIKO_NO_PROPAGATE_ANNOTATIONS`](#flag-ff_kaniko_no_propagate_annotations)
     - [Debug Image](#debug-image)
   - [Security](#security)
     - [Verifying Signed Kaniko Images](#verifying-signed-kaniko-images)
@@ -1129,6 +1130,12 @@ Currently no plans to activate.
 When using `--cleanup`, kaniko cleans the container filesystem at the end of the build. Set this flag to `true` to also remove kaniko's own working directory artifacts from `/kaniko` (the Dockerfile copy, build context, intermediate stages, inter-stage dependencies, layers cache, and secrets). This is useful when reusing a kaniko container across multiple builds.
 Defaults to `true`.
 
+#### Flag `FF_KANIKO_NO_PROPAGATE_ANNOTATIONS`
+
+When building from a base image that carries OCI manifest annotations (e.g. `org.opencontainers.image.url`, `org.opencontainers.image.version`), kaniko by default propagates those annotations into the output image manifest. This differs from Docker/BuildKit behaviour, which does not carry base image annotations forward into derived images.
+Set this flag to `true` to strip base image manifest annotations from the output, matching Docker behaviour. Defaults to `false`.
+Becomes default in `v1.28.0`.
+
 ### Debug Image
 
 The kaniko executor image is based on scratch and doesn't contain a shell. We
diff --git a/integration/images.go b/integration/images.go
@@ -93,6 +93,7 @@ var KanikoEnv = []string{
 	"FF_KANIKO_OCI_WARMER=1",
 	"FF_KANIKO_RUN_VIA_TINI=1",
 	"FF_KANIKO_COPY_CHMOD_ON_IMPLICIT_DIRS=1",
+	"FF_KANIKO_NO_PROPAGATE_ANNOTATIONS=1",
 }
 
 var WarmerEnv = []string{
diff --git a/pkg/executor/build.go b/pkg/executor/build.go
@@ -92,6 +92,10 @@ func newStageBuilder(args *dockerfile.BuildArgs, opts *config.KanikoOptions, sta
 		return nil, err
 	}
 
+	if config.EnvBool("FF_KANIKO_NO_PROPAGATE_ANNOTATIONS") {
+		sourceImage = mutate.Annotations(sourceImage, nil).(v1.Image)
+	}
+
 	_opts := *opts
 	if !stage.Push {
 		_opts.Labels = []string{}
@@ -101,6 +105,8 @@ func newStageBuilder(args *dockerfile.BuildArgs, opts *config.KanikoOptions, sta
 		return nil, err
 	}
 
+	// mz507: This workaround to prevent cache invalidation via base image annotations
+	// can be removed once FF_KANIKO_NO_PROPAGATE_ANNOTATIONS becomes standard.
 	man, err := sourceImage.Manifest()
 	if err != nil {
 		return nil, err

Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,7 @@ var KanikoEnv = []string{`
`93`	`93`	`"FF_KANIKO_OCI_WARMER=1",`
`94`	`94`	`"FF_KANIKO_RUN_VIA_TINI=1",`
`95`	`95`	`"FF_KANIKO_COPY_CHMOD_ON_IMPLICIT_DIRS=1",`
	`96`	`+ "FF_KANIKO_NO_PROPAGATE_ANNOTATIONS=1",`
`96`	`97`	`}`
`97`	`98`
`98`	`99`	`var WarmerEnv = []string{`