Separate Insecure Pull Options

README.md

@@ -298,11 +298,19 @@ Set this flag if you only want to build the image, without pushing to a registry
 
 #### --insecure
 
-Set this flag if you want to connect to a plain HTTP registry. It is supposed to be used for testing purposes only and should not be used in production!
+Set this flag if you want to push images to a plain HTTP registry. It is supposed to be used for testing purposes only and should not be used in production!
 
 #### --skip-tls-verify
 
-Set this flag to skip TLS certificate validation when connecting to a registry. It is supposed to be used for testing purposes only and should not be used in production!
+Set this flag to skip TLS certificate validation when pushing images to a registry. It is supposed to be used for testing purposes only and should not be used in production!
+
+#### --insecure-pull
+
+Set this flag if you want to pull images from a plain HTTP registry. It is supposed to be used for testing purposes only and should not be used in production!
+
+#### --skip-tls-verify-pull
+
+Set this flag to skip TLS certificate validation when pulling images from a registry. It is supposed to be used for testing purposes only and should not be used in production!
 
 #### --cache
 
@@ -413,4 +421,4 @@ file are made and when the `mtime` is updated. This means:
   which will still be correct, but it does affect the number of layers.
 
 _Note that these issues are currently theoretical only. If you see this issue occur, please
-[open an issue](https://github.com/GoogleContainerTools/kaniko/issues)._
+[open an issue](https://github.com/GoogleContainerTools/kaniko/issues)._

cmd/executor/cmd/root.go

@@ -91,8 +91,10 @@ func addKanikoOptionsFlags(cmd *cobra.Command) {
 	RootCmd.PersistentFlags().VarP(&opts.Destinations, "destination", "d", "Registry the final image should be pushed to. Set it repeatedly for multiple destinations.")
 	RootCmd.PersistentFlags().StringVarP(&opts.SnapshotMode, "snapshotMode", "", "full", "Change the file attributes inspected during snapshotting")
 	RootCmd.PersistentFlags().VarP(&opts.BuildArgs, "build-arg", "", "This flag allows you to pass in ARG values at build time. Set it repeatedly for multiple values.")
-	RootCmd.PersistentFlags().BoolVarP(&opts.Insecure, "insecure", "", false, "Pull and push to insecure registry using plain HTTP")
+	RootCmd.PersistentFlags().BoolVarP(&opts.Insecure, "insecure", "", false, "Push to insecure registry using plain HTTP")
 	RootCmd.PersistentFlags().BoolVarP(&opts.SkipTLSVerify, "skip-tls-verify", "", false, "Push to insecure registry ignoring TLS verify")
+	RootCmd.PersistentFlags().BoolVarP(&opts.InsecurePull, "insecure-pull", "", false, "Pull from insecure registry using plain HTTP")
+	RootCmd.PersistentFlags().BoolVarP(&opts.SkipTLSVerifyPull, "skip-tls-verify-pull", "", false, "Pull from insecure registry ignoring TLS verify")
 	RootCmd.PersistentFlags().StringVarP(&opts.TarPath, "tarPath", "", "", "Path to save the image in as a tarball instead of pushing")
 	RootCmd.PersistentFlags().BoolVarP(&opts.SingleSnapshot, "single-snapshot", "", false, "Take a single snapshot at the end of the build.")
 	RootCmd.PersistentFlags().BoolVarP(&opts.Reproducible, "reproducible", "", false, "Strip timestamps out of the image to make it reproducible")

pkg/config/options.go

@@ -18,23 +18,25 @@ package config
 
 // KanikoOptions are options that are set by command line arguments
 type KanikoOptions struct {
-	DockerfilePath string
-	SrcContext     string
-	SnapshotMode   string
-	Bucket         string
-	TarPath        string
-	Target         string
-	CacheRepo      string
-	CacheDir       string
-	Destinations   multiArg
-	BuildArgs      multiArg
-	Insecure       bool
-	SkipTLSVerify  bool
-	SingleSnapshot bool
-	Reproducible   bool
-	NoPush         bool
-	Cache          bool
-	Cleanup        bool
+	DockerfilePath    string
+	SrcContext        string
+	SnapshotMode      string
+	Bucket            string
+	TarPath           string
+	Target            string
+	CacheRepo         string
+	CacheDir          string
+	Destinations      multiArg
+	BuildArgs         multiArg
+	Insecure          bool
+	SkipTLSVerify     bool
+	InsecurePull      bool
+	SkipTLSVerifyPull bool
+	SingleSnapshot    bool
+	Reproducible      bool
+	NoPush            bool
+	Cache             bool
+	Cleanup           bool
 }
 
 // WarmerOptions are options that are set by command line arguments to the cache warmer.

pkg/util/image_util.go

@@ -102,7 +102,7 @@ func remoteImage(image string, opts *config.KanikoOptions) (v1.Image, error) {
 		return nil, err
 	}
 
-	if opts.Insecure {
+	if opts.InsecurePull {
 		newReg, err := name.NewInsecureRegistry(ref.Context().RegistryStr(), name.WeakValidation)
 		if err != nil {
 			return nil, err
@@ -118,7 +118,7 @@ func remoteImage(image string, opts *config.KanikoOptions) (v1.Image, error) {
 	}
 
 	tr := http.DefaultTransport.(*http.Transport)
-	if opts.SkipTLSVerify {
+	if opts.SkipTLSVerifyPull {
 		tr.TLSClientConfig = &tls.Config{
 			InsecureSkipVerify: true,
 		}