Kaniko does not persist setcap side effects

[jomonson]

Actual behavior
setcap command does not persist to the finalized image. Running getcap in the finalized image returns an empty result.

Expected behavior
getcap should return the newly attached capabilities

To Reproduce
Steps to reproduce the behavior:

1. Create a Dockerfile with the following:

FROM python:3.9.9-slim-buster AS python
RUN apt-get update && apt-get install --assume-yes libcap2-bin nmap
RUN setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip $(which nmap)
RUN echo $(getcap $(which nmap))

2. See that during the Kaniko build, the echo command indeed produces the desired result.
3. Running the resulted image (from loading the resulting .tar file) and running getcap produces empty output

Additional Information
Used Kaniko 1.7-debug, and tried all sorts of flags, including single-snapshot and --snapshotMode=full

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile

[pidydx]

I am seeing the same behavior. When installing Ubuntu packages that include files with capabilities set the final image produced by kaniko does not include those capabilities on the files causing the installed package to not function correctly.

[archfish]

same in alpine:3.14

setcap CAP_NET_BIND_SERVICE=+eip $APP_ROOT/$EXEC_FILE;