Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict loading to root or below. #700

merged 1 commit into from Jan 16, 2019


None yet
4 participants
Copy link

commented Jan 15, 2019

Kustomization files refer to two kinds of files outside the kustomization file itself:

  • bases (other kustomizations)
    These can be git URLs, or paths specified relative to the root (as long as they don't go strictly "up").

  • data paths for the current kustomization
    Things like resources, patches, data for configmaps, etc.
    These must be paths specified relative to the root

where root is the directory containing the kustomization file specifying these things.

This PR imposes an additional requirement on data paths.

They must still be root relative paths, but additionally they cannot go up out of root, either explicitly, or by following symbolic links. They can only refer to files in or below root.

This will require an increment in semver major, since it disallows certain file loading patterns.

No existing examples or documentation need to change, since this file arrangement wasn't used.

Example of disallowed behavior and how to fix:

Supposed a single data file foo/common/data.txt is referenced in two similar configmap generator rules in two different directories foo/overlay1 and foo/overlay2. This is now disallowed, because the data is outside the two respective kustomization roots.

The fix is to simply add a kustomization file to the directory containing the data, and refer to that as a base from the kustomizations in the two overlays (i.e. refer to the base, not the data). It remains OK to go up and over when referring to a base (though not directly up, since that can result in cycles).

A followup PR should include an example discussing/defining this.

Fixes #693

@monopole monopole requested a review from DirectXMan12 Jan 15, 2019

@k8s-ci-robot k8s-ci-robot requested review from droot and mengqiy Jan 15, 2019


This comment has been minimized.

Copy link

commented Jan 15, 2019


This pull-request has been approved by: monopole

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@monopole monopole requested review from Liujingfang1 and removed request for droot and mengqiy Jan 15, 2019

Copy link

left a comment

Looks good to me. Just one comment on the error messages.

func (l *fileLoader) Load(path string) ([]byte, error) {
if filepath.IsAbs(path) {
return nil, fmt.Errorf(
"must use relative path; '%s' is absolute", path)
return nil, l.loadOutOfBounds(path)

This comment has been minimized.

Copy link

Liujingfang1 Jan 15, 2019


The previous error message looks better. We can leave it unchanged.

This comment has been minimized.

Copy link

monopole Jan 16, 2019

Author Contributor

Message updated.

This is now a change from

must use relative path; '/etc/tls.key' is absolute.


"security; file `/etc/tls.key` is not in or below `/the/kustomization/root`,

How's that?

Copy link

left a comment

fileLoader godoc needs to be updated with the new info.

This technically also disallows symlinks between "root trees" where the load might otherwise be acceptable (AFAICT), but that may be an acceptable caveat.

if l.Root() == string(filepath.Separator) {
return true
return strings.HasPrefix(

This comment has been minimized.

Copy link

DirectXMan12 Jan 15, 2019

this needs a warning so that people don't strip off the trailing slash (which would make it more incorrect that in currently is). This is technically still wrong (, golang/dep#296, golang/go#18358 (comment)) due to filesystem case sensitivity, etc. The fully correct answer appears to be, but it's tricky. If you decide to stick with this, note the caveats (since this is even less correct than filepath.HasPrefix on Windows).

This comment has been minimized.

Copy link

monopole Jan 16, 2019

Author Contributor

Thanks much for those links.

I've updated this comment and the overall class doc.

@monopole monopole force-pushed the monopole:restrictLoading branch from 03fbc2b to 905125d Jan 16, 2019

@monopole monopole force-pushed the monopole:restrictLoading branch from 905125d to 14af70d Jan 16, 2019


This comment has been minimized.

Copy link

commented Jan 16, 2019

new comments look good

@k8s-ci-robot k8s-ci-robot added the lgtm label Jan 16, 2019

@k8s-ci-robot k8s-ci-robot merged commit 549290c into kubernetes-sigs:master Jan 16, 2019

3 checks passed

cla/linuxfoundation monopole authorized
continuous-integration/travis-ci/pr The Travis CI build passed
tide In merge pool.

@monopole monopole deleted the monopole:restrictLoading branch Jan 22, 2019

mszostok added a commit to kyma-project/test-infra that referenced this pull request Feb 13, 2019

So awesome add-ons controller (#592)
* Provide first controller implemenation

* Finialize slack reporter implementation

* Fixing deploy resources

* Fix rbac

* Add test coverage for controller

* Change the golang builder image version

* Change the way who mock are generated

* kustomization.yaml was moved outside the /default folder, see kubernetes-sigs/kustomize#700

* Change Gopkg.lock to work with dep 0.5.x

* Add fetching commit author

* Add more info in

* Apply changes after Adam review

* Add milv ignore
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.