Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LoadRestrictionsNone does not disable restrictions on remote bases #4052

Closed
814HiManny opened this issue Jul 9, 2021 · 18 comments
Closed

LoadRestrictionsNone does not disable restrictions on remote bases #4052

814HiManny opened this issue Jul 9, 2021 · 18 comments
Labels
kind/documentation Categorizes issue or PR as related to documentation. triage/unresolved Indicates an issue that can not or will not be resolved.

Comments

@814HiManny
Copy link

When using LoadRestrictionsNone I expect kustomize to be able to refer to kustomizations in git repositories that reference a configuration that is outside of the directory where the kustomization is. If I do a git clone of a repo, the LoadRestrictionsNone flag correctly works. When the same git repo is referenced via a git resource, it does not work.

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/814HiManny/kustomize/examples/transformerconfigs/images-config-outside/

Expected output

A valid yaml output

Actual output

$> kustomize build --load-restrictor LoadRestrictionsNone ktest-outside/

Error: accumulating resources: accumulation err='accumulating resources from 'https://github.com/814HiManny/kustomize/examples/transformerconfigs/images-config-outside/': yaml: line 175: mapping values are not allowed in this context': recursed accumulation of path '/private/var/folders/rh/5hvkwnmd4g3fb5dl6w0nb2vw0000gn/T/kustomize-843568672/examples/transformerconfigs/images-config-outside': security; file '/private/var/folders/rh/5hvkwnmd4g3fb5dl6w0nb2vw0000gn/T/kustomize-843568672/examples/transformerconfigs/kustomizeconfig/mykind.yaml' is not in or below '/private/var/folders/rh/5hvkwnmd4g3fb5dl6w0nb2vw0000gn/T/kustomize-843568672/examples/transformerconfigs/images-config-outside'

Kustomize version

{Version:kustomize/v4.2.0 GitCommit:d53a2ad45d04b0264bcee9e19879437d851cb778 BuildDate:2021-06-30T22:49:26Z GoOs:darwin GoArch:amd64}

Platform

macOS
@814HiManny 814HiManny added the kind/bug Categorizes issue or PR as related to a bug. label Jul 9, 2021
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jul 9, 2021
@814HiManny 814HiManny changed the title LoadRestrictionsNone is not correcly opening files from configurations outside of directory for git kustomizations LoadRestrictionsNone is not correctly opening files from configurations outside of directory for git kustomizations Jul 9, 2021
@ron1
Copy link

ron1 commented Jul 12, 2021
edited
Loading

@814HiManny FYI, I get the same error in the even simpler case with no local kustomization.yaml file. However, if I first clone the repo and then execute kustomize build, it works as expected. Note this bug is also reproducible at least as far back as kustomize 3.8.1.

FAILURE:

$> kustomize build https://github.com/814HiManny/kustomize/examples/transformerconfigs/images-config-outside --load-restrictor LoadRestrictionsNone

Error: security; file '/tmp/kustomize-203698288/examples/transformerconfigs/kustomizeconfig/mykind.yaml' is not in or below '/tmp/kustomize-203698288/examples/transformerconfigs/images-config-outside'

SUCCESS:

$> git clone https://github.com/814HiManny/kustomize 2>nul
$> echo $?
0
$> kustomize build kustomize/examples/transformerconfigs/images-config-outside --load-restrictor LoadRestrictionsNone | wc -l
27

@KnVerey
Copy link
Contributor

KnVerey commented Sep 1, 2021

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 1, 2021
@soleares
Copy link

soleares commented Sep 1, 2021
edited
Loading

@814HiManny Probably no surprise but the behavior is the same using SSH. I mention it because I ran into this issue while trying to access a private repo with SSH.

$ kustomize build git@github.com:814HiManny/kustomize.git//examples/transformerconfigs/images-config-outside --load-restrictor LoadRestrictionsNone

Error: security; file '/private/var/folders/9d/w8hssg6d499cszk5s19gsx_m0000gp/T/kustomize-426654121/examples/transformerconfigs/kustomizeconfig/mykind.yaml' is not in or below '/private/var/folders/9d/w8hssg6d499cszk5s19gsx_m0000gp/T/kustomize-426654121/examples/transformerconfigs/images-config-outside'

@thomasmckay thomasmckay mentioned this issue Oct 20, 2021
Closed
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 21, 2021
@ron1
Copy link

ron1 commented Dec 22, 2021
edited
Loading

/remove- lifecycle stale

@KnVerey KnVerey removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 22, 2021
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 22, 2022
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 21, 2022
@ron1
Copy link

ron1 commented Apr 21, 2022

/remove- lifecycle stale

@ron1
Copy link

ron1 commented Apr 21, 2022

/remove- lifecycle rotten

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

@k8s-ci-robot
Copy link
Contributor

@k8s-triage-robot: Closing this issue.

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue or PR with /reopen
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@saviogl
Copy link

saviogl commented Jun 29, 2022

@814HiManny Any solutions for this? Did this just get closed and that's it?

@saviogl
Copy link

saviogl commented Jun 29, 2022

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jun 29, 2022
@saviogl
Copy link

saviogl commented Jun 29, 2022

/reopen

@k8s-ci-robot
Copy link
Contributor

@saviogl: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@saviogl saviogl mentioned this issue Jun 29, 2022
Closed
thomas-gerber added a commit to faros-ai/faros-community-edition that referenced this issue Jun 29, 2022
@thomas-gerber
Copy env file to kube base
ed57738 
until there is support for removing load restrictions in remote directories
see: kubernetes-sigs/kustomize#4052
@thomas-gerber thomas-gerber mentioned this issue Jun 29, 2022
Merged
3 tasks
thomas-gerber added a commit to faros-ai/faros-community-edition that referenced this issue Jun 29, 2022
@thomas-gerber @saviogl
Replace symlink with an actual copy of the env file in the kube base (#…
b8cb33a 
…194)

* Copy env file to kube base

until there is support for removing load restrictions in remote directories
see: kubernetes-sigs/kustomize#4052

* Simplify kubectl commands

Possible now that load restrictions are not necessary anymore.

* Add drift check on .env file

Co-authored-by: Sávio Lucena <saviogl@gmail.com>
@KnVerey KnVerey reopened this Jul 5, 2022
@KnVerey
Copy link
Contributor

KnVerey commented Jul 6, 2022

I apologize for causing confusion, but I should not have accepted this issue. The fact that the load restrictor cannot be bypassed, even with the flag, for remote bases is an intentional security feature.

https://github.com/kubernetes-sigs/kustomize/blob/master/api/loader/fileloader.go#L210-L211

In general, we recommend localizing remote bases for production use and subjecting them to review. This is even more critical, to the point that we require it, when the remote base requires arbitrary filesystem access. We are working on kustomize localize feature to help with workflows like this: https://github.com/kubernetes-sigs/kustomize/blob/master/proposals/22-04-localize-command.md.

We would accept documentation or warning message improvements to alleviate the confusion around this, but we will not be changing the behaviour.

/retitle LoadRestrictionsNone does not disable restrictions on remote bases

/triage unresolved
/kind documentation
/close

@k8s-ci-robot k8s-ci-robot changed the title LoadRestrictionsNone is not correctly opening files from configurations outside of directory for git kustomizations LoadRestrictionsNone does not disable restrictions on remote bases Jul 6, 2022
@k8s-ci-robot k8s-ci-robot added triage/unresolved Indicates an issue that can not or will not be resolved. kind/documentation Categorizes issue or PR as related to documentation. labels Jul 6, 2022
@k8s-ci-robot
Copy link
Contributor

@KnVerey: Closing this issue.

In response to this:

I apologize for causing confusion, but I should not have accepted this issue. The fact that the load restrictor cannot be bypassed, even with the flag, for remote bases is an intentional security feature.

https://github.com/kubernetes-sigs/kustomize/blob/master/api/loader/fileloader.go#L210-L211

In general, we recommend localizing remote bases for production use and subjecting them to review. This is even more critical, to the point that we require it, when the remote base requires arbitrary filesystem access. We are working on kustomize localize feature to help with workflows like this: https://github.com/kubernetes-sigs/kustomize/blob/master/proposals/22-04-localize-command.md.

We would accept documentation or warning message improvements to alleviate the confusion around this, but we will not be changing the behaviour.

/retitle LoadRestrictionsNone does not disable restrictions on remote bases

/triage unresolved
/kind documentation
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@KnVerey KnVerey removed kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on. labels Jul 6, 2022
@k8s-ci-robot
Copy link
Contributor

@814HiManny: This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jul 6, 2022
@KnVerey KnVerey removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jul 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/documentation Categorizes issue or PR as related to documentation. triage/unresolved Indicates an issue that can not or will not be resolved.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@soleares @ron1 @monopole @KnVerey @saviogl @k8s-ci-robot @814HiManny @k8s-triage-robot