@@ -196,10 +196,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {

 		ResolveCacheExporterFuncs: map[string]remotecache.ResolveCacheExporterFunc{

 			"inline": inlineremotecache.ResolveCacheExporterFunc(),

 		},

-		Entitlements: []string{

-			string(entitlements.EntitlementNetworkHost),

-			// string(entitlements.EntitlementSecurityInsecure),

-		},

+		Entitlements: getEntitlements(opt.BuilderConfig),

 	})

 }

@@ -255,3 +252,15 @@ func parsePlatforms(platformsStr []string) ([]specs.Platform, error) {

 	}

 	return out, nil

 }

+

+func getEntitlements(conf config.BuilderConfig) []string {

+	var ents []string

+	// Incase of no config settings, NetworkHost should be enabled & SecurityInsecure must be disabled.

+	if conf.Entitlements.NetworkHost == nil || *conf.Entitlements.NetworkHost {

+		ents = append(ents, string(entitlements.EntitlementNetworkHost))

+	}

+	if conf.Entitlements.SecurityInsecure != nil && *conf.Entitlements.SecurityInsecure {

+		ents = append(ents, string(entitlements.EntitlementSecurityInsecure))

+	}

+	return ents

+}

@@ -61,7 +61,14 @@ type BuilderGCConfig struct {

 	DefaultKeepStorage string          `json:",omitempty"`

 }

+// BuilderEntitlements contains settings to enable/disable entitlements

+type BuilderEntitlements struct {

+	NetworkHost      *bool `json:"network-host,omitempty"`

+	SecurityInsecure *bool `json:"security-insecure,omitempty"`

+}

+

 // BuilderConfig contains config for the builder

 type BuilderConfig struct {

-	GC BuilderGCConfig `json:",omitempty"`

+	GC           BuilderGCConfig     `json:",omitempty"`

+	Entitlements BuilderEntitlements `json:",omitempty"`

 }