Fix kicbase image load permission denied by using docker CLI

[princebirring]

Summary

• Replace direct Docker daemon socket access (daemon.Write and daemon.Image from go-containerregistry) with Docker CLI commands (docker load -i, docker image inspect) in pkg/minikube/download/image.go
• This fixes the "permission denied" error when loading the kicbase image for users who access Docker via sudo wrappers or other privilege-escalation mechanisms
• Removes the now-unused go-containerregistry/pkg/v1/daemon import

Root Cause

When loading the kicbase image, minikube used daemon.Write() and daemon.Image() from the go-containerregistry library, which connect directly to the Docker socket (/var/run/docker.sock). Users who intentionally restrict direct socket access and use sudo-based Docker wrappers get "permission denied" errors, even though other minikube Docker operations (like docker system info) work fine because they go through the Docker CLI.

Test Plan

• go build ./pkg/minikube/download/ compiles successfully
• go test ./pkg/minikube/download/ passes
• Manual test: run minikube start --driver=docker on a system where Docker requires sudo (user not in docker group, using a docker wrapper script)

Fixes #22780

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: princebirring
Once this PR has been reviewed and has the lgtm label, please assign prezha for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Welcome @princebirring!

It looks like this is your first PR to kubernetes/minikube 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/minikube has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @princebirring. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: princebirring / name: Prince Birring (d7914a8)

[minikube-bot]

Can one of the admins verify this patch?

[medyagh]

I am not sure if this is what we want, histrocially we have wanted to reduce depenency on having Docker installed by the user .... @afbjorklund can comment more

[Copilot]

Pull request overview

This PR switches kicbase image loading/inspection from direct Docker daemon socket access (go-containerregistry daemon.*) to invoking Docker via its CLI, addressing “permission denied” failures on systems that restrict /var/run/docker.sock access and rely on sudo/wrapper-based Docker usage.

Changes:

• Replaced daemon.Image() usage with docker image inspect to determine image architecture.
• Replaced daemon.Write() loading logic with docker load -i for cached tarballs.
• Removed the unused go-containerregistry/pkg/v1/daemon import.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

cmd.Output() drops stderr, so failures from docker image inspect will return an unhelpful error (e.g. only exit status 1). Consider using CombinedOutput() and include the captured output in the returned error to make diagnosing inspect failures easier.

Suggested change

	output, err := cmd.Output()
	if err != nil {
	output, err := cmd.CombinedOutput()
	if err != nil {
	inspectOutput := strings.TrimSpace(string(output))
	if inspectOutput != "" {
	return false, fmt.Errorf("failed to inspect image %s: %v: %s", img, err, inspectOutput)
	}

[Copilot]

On docker load failure, the returned error wraps only err (often just exit status 1) while the more useful details are in output and only logged at -v=2. Include the docker load output (and/or command) in the returned error so users get actionable diagnostics at default log levels.

Suggested change

	return "", fmt.Errorf("error loading image: %w", err)
	trimmedOutput := strings.TrimSpace(string(output))
	if trimmedOutput != "" {
	return "", fmt.Errorf("error loading image with %v: %s: %w", cmd.Args, trimmedOutput, err)
	}
	return "", fmt.Errorf("error loading image with %v: %w", cmd.Args, err)

[Copilot]

parseImage now returns a tag that is immediately discarded (_, ref, err := parseImage(img)). Since this is the only call site, consider simplifying parseImage to return just what CacheToDaemon needs (or avoid computing/returning the unused tag) to reduce confusion and unnecessary work.

[afbjorklund]

I am not sure if this is what we want, histrocially we have wanted to reduce depenency on having Docker installed by the user ....

Most people that have a running docker daemon also have a docker client installed, so I don't think that would be much difference?