Kustomize "multiple matches" failure since kustomize/v3.9.2

[sylr]

Describe the bug

Kustomize workspace which was working up until kustomize/v3.9.1 now fails with and without kyaml.

$ ~/go/src/sigs.k8s.io/kustomize/kustomize/kustomize build --enable_kyaml=false .
Error: obj '{"apiVersion": "rbac.authorization.k8s.io/v1", "kind": "ClusterRoleBinding", "metadata": {
    "annotations": {"config.kubernetes.io/originalNs": "default"}, "labels": {"app": "external-dns",
      "instance": "public"}, "name": "external-dns-viewer"}, "roleRef": {"apiGroup": "rbac.authorization.k8s.io",
    "kind": "ClusterRole", "name": "external-dns"}, "subjects": [{"kind": "ServiceAccount",
      "name": "external-dns"}]}
' at path 'subjects': multiple matches for ~G_v1_ServiceAccount|default|external-dns:
  [~G_v1_ServiceAccount|kube-system|external-dns
 ~G_v1_ServiceAccount|kube-system|external-dns-private
]

$ ~/go/src/sigs.k8s.io/kustomize/kustomize/kustomize build  .
Error: obj 'apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: external-dns-viewer
  labels:
    app: external-dns
    instance: public
  annotations:
    config.kubernetes.io/originalNs: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns
subjects:
- kind: ServiceAccount
  name: external-dns
' at path 'subjects': multiple matches for ~G_v1_ServiceAccount|default|external-dns:
  [~G_v1_ServiceAccount|kube-system|external-dns
 ~G_v1_ServiceAccount|kube-system|external-dns-private
]

Files that can reproduce the issue

https://github.com/sylr/kustomize-crash-reproduction

[sylr]

I did a bisect and it seems bb41d01 is responsible for this problem.

$ git bisect start
$ git bisect good kustomize/v3.9.1
$ git bisect bad kustomize/v3.9.2
Bisecting: 40 revisions left to test after this (roughly 5 steps)
[7c6bf2e21d30a3dcde0a627ba24f636381a5408b] When merging configmaps, retain proper quoting.
$ git bisect run ./bisect.sh
...
bb41d018b5350c24031bace975d7b735d26b7b9b is the first bad commit
commit bb41d018b5350c24031bace975d7b735d26b7b9b
Author: monopole <jeff.regan@gmail.com>
Date:   Wed Jan 13 13:03:22 2021 -0800

    Add more tests and explain some strange quotes.

 api/internal/target/kusttarget_test.go             |  4 +-
 api/krusty/basic_io_test.go                        | 67 +++++++++++++++++++++-
 api/krusty/configmaps_test.go                      |  8 ---
 api/krusty/kustomizer.go                           |  5 +-
 api/krusty/variableref_test.go                     | 34 +++++++----
 api/resmap/resmap.go                               |  3 +-
 api/resmap/reswrangler.go                          |  8 +--
 api/resmap/reswrangler_test.go                     |  4 +-
 api/resource/resource.go                           | 64 +++++----------------
 api/testutils/kusttest/harness.go                  |  5 +-
 .../PrefixSuffixTransformer_test.go                |  1 -
 11 files changed, 111 insertions(+), 92 deletions(-)
bisect run success

[sylr]

@Shell32-Natsu you tagged this area/kyaml but this problem is also occuring when kyaml is disabled.

[Shell32-Natsu]

I tagged this from my guess. Need to investigate more.

[Shell32-Natsu]

This is because the reference in subjects field in base/external-dns/clusterrolebinding.yml is using original ID. When kustomize is doing a step named name reference update, it will try to find find the resources that have the original ID and update the reference to the resource's current ID. Note that this step is done after all layers have been processed so there will be 2 resources that have the same original ID in your example.

[monopole]

@sylr If you have time, please take a look at TestIssue3489 in api/krusty/namereference_test.go in #3529

It purports to cover https://github.com/sylr/kustomize-crash-reproduction

Thanks for the report. This will go out in release 3.9.3 this week.