Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable kustomize in kubectl #70875

Merged
merged 7 commits into from Dec 19, 2018
Merged

Conversation

@Liujingfang1
Copy link
Contributor

@Liujingfang1 Liujingfang1 commented Nov 9, 2018

What type of PR is this?
/kind feature

What this PR does / why we need it:
This PR is the implementation of KEP to enable kustomize in kubectl.

When -f <dir> is passed to a kubectl command, it will look for a kustomization.yaml file. If kustomization.yaml is found, a kustomize build will be run to get the list of expanded resources. This list of resources is then passed to kubectl commands. If there is no kustomization.yaml in the directory, kubectl will behave the same as current.

To apply a kustomization directory

kubectl apply -f <dir>

To get resources of a kustomization directory applied to a cluster

kubectl get -f <dir>

To delete a kustomization directory applied to a cluster

kubectl delete -f <dir>

Special notes for your reviewer:

This PR contains 6 commits.

  • The first three of them is to vendor kustomize.
  • The 4th commit is the change in resource builder to use Kustomization when it it enabled.
  • The 5th one adds some unit test for Builder.
  • The 6th commit is to enable kustomization in kubectl commands.

Kubectl will have kustomization enabled by default.
Other cli-runtime consumers may choose if they want to enable or not kustomization by a Boolean variable.

Does this PR introduce a user-facing change?:
NONE

Enable customize in kubectl: kubectl will be able to recognize directories with kustomization.YAML
@k8s-ci-robot
Copy link
Contributor

@k8s-ci-robot k8s-ci-robot commented Nov 9, 2018

Hi @Liujingfang1. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Liujingfang1
Copy link
Contributor Author

@Liujingfang1 Liujingfang1 commented Nov 9, 2018

@Liujingfang1
Copy link
Contributor Author

@Liujingfang1 Liujingfang1 commented Nov 9, 2018

/cc @monopole

@k8s-ci-robot k8s-ci-robot requested a review from monopole Nov 9, 2018
@Liujingfang1 Liujingfang1 changed the title Enable kustomize Enable kustomize in kubectl Nov 9, 2018
@@ -452,7 +457,10 @@ func ExpandPathsToFileVisitors(mapper *mapper, paths string, recursive bool, ext
if err != nil {
return err
}

if isKustomizationDir(path) {
Copy link
Contributor

@smarterclayton smarterclayton Nov 10, 2018

I don't think this is backwards compatible. Anyone using kubectl create -f DIR will see something different happen after this change lands, which means existing CLI workflows could break.

Copy link
Member

@justinsb justinsb Nov 11, 2018

I just tested the behaviour. kubectl create and kubectl apply both fail with a kustomization.yaml present:

error: error validating ".../k8s.io/examples/guestbook-go/kustomization.yaml": error validating data: [apiVersion not set, kind not set]; if you choose to ignore these errors, turn validation off with --validate=false

It looks like we have a separate issue, which is that we don't validate all files before starting to apply, which is contrary to what I would have expected.

But I don't think users can be using kubectl create -f DIR or kubectl apply -f DIR today with a dir containing kustomization.yaml.

Copy link
Contributor Author

@Liujingfang1 Liujingfang1 Nov 12, 2018

@smarterclayton The existing kubectl doesn't work with directories with a kustomization.yaml as @justinsb explained. With this PR, kubectl will be able to recognize a directory with a kustomization.yaml. For any directories without kustomization.yaml, there is no change in kubectl's behavior.

Copy link
Contributor

@smarterclayton smarterclayton Nov 13, 2018

If someone has validate=false off, what happens? If it also fails, then my primary concern is addressed.

Copy link
Contributor Author

@Liujingfang1 Liujingfang1 Nov 13, 2018

With validate=false, it fails with similar error

error: unable to decode "kustomization.yaml": Object 'Kind' is missing in `<truncated>`

@Liujingfang1 Liujingfang1 force-pushed the enable-kustomize branch 2 times, most recently from a401eca to b426d83 Nov 12, 2018
@seans3
Copy link
Contributor

@seans3 seans3 commented Nov 12, 2018

/ok-to-test

@Liujingfang1 Liujingfang1 force-pushed the enable-kustomize branch 2 times, most recently from 90bac14 to 3c4901b Nov 12, 2018
@k8s-ci-robot k8s-ci-robot removed the lgtm label Dec 17, 2018
@Liujingfang1
Copy link
Contributor Author

@Liujingfang1 Liujingfang1 commented Dec 17, 2018

As discussed offline, we can remove the opt out. I added a commit for that. @pwittrock PTAL

@Liujingfang1
Copy link
Contributor Author

@Liujingfang1 Liujingfang1 commented Dec 17, 2018

/retest

2 similar comments
@Liujingfang1
Copy link
Contributor Author

@Liujingfang1 Liujingfang1 commented Dec 18, 2018

/retest

@Liujingfang1
Copy link
Contributor Author

@Liujingfang1 Liujingfang1 commented Dec 18, 2018

/retest

@BenTheElder
Copy link
Member

@BenTheElder BenTheElder commented Dec 18, 2018

/test pull-kubernetes-godeps

@@ -463,7 +471,10 @@ func ExpandPathsToFileVisitors(mapper *mapper, paths string, recursive bool, ext
if path != paths && ignoreFile(path, extensions) {
return nil
}

if filepath.Base(path) == constants.KustomizationFileName {
Copy link
Member

@pwittrock pwittrock Dec 18, 2018

This will be changed to check the GVK of the kustomization file in an immediate follow up.

fSys := fs.MakeRealFS()
f := k8sdeps.NewFactory()
var out bytes.Buffer
cmd := build.NewCmdBuild(&out, fSys, f.ResmapF, f.TransformerF)
Copy link
Member

@pwittrock pwittrock Dec 18, 2018

In an immediate follow up this should be a library that takes options.

@pwittrock
Copy link
Member

@pwittrock pwittrock commented Dec 18, 2018

/approve

@pwittrock
Copy link
Member

@pwittrock pwittrock commented Dec 18, 2018

/lgtm

@pwittrock
Copy link
Member

@pwittrock pwittrock commented Dec 18, 2018

Follow up issues tracked here:
kubernetes/kubectl#570

@k8s-ci-robot
Copy link
Contributor

@k8s-ci-robot k8s-ci-robot commented Dec 18, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Liujingfang1, pwittrock, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pwittrock
Copy link
Member

@pwittrock pwittrock commented Dec 18, 2018

/hold cancel

@pwittrock
Copy link
Member

@pwittrock pwittrock commented Dec 18, 2018

@soltysh removing hold. @JiangtianLi is working on a follow up.

@Liujingfang1
Copy link
Contributor Author

@Liujingfang1 Liujingfang1 commented Dec 19, 2018

/test pull-kubernetes-integration

@pwittrock
Copy link
Member

@pwittrock pwittrock commented Dec 19, 2018

/test

@pwittrock
Copy link
Member

@pwittrock pwittrock commented Dec 19, 2018

/test pull-kubernetes-e2e-gce

@k8s-ci-robot k8s-ci-robot merged commit be5a1fb into kubernetes:master Dec 19, 2018
19 checks passed
@anguslees
Copy link
Member

@anguslees anguslees commented Jan 11, 2019

I'm only just learning about kustomize, but I am a bit alarmed about what I'm reading and the implications for this PR. With this PR, can I just pwn the world by putting a malicious kustomize.yaml in a popular manifest examples site somewhere?

Consider:

# kustomize.yaml - don't try this at home.
secretGenerator:
- name: allyourbase
  commands:
    # or any other malicious command
    foo: "echo backdoorkey >> $HOME/.ssh/authorized_keys"

In particular, with this PR, I think kubectl apply -f http://that/repo" suddenly becomes able to modify the local machine, not just the target cluster, even with --dry-run.

@BenTheElder
Copy link
Member

@BenTheElder BenTheElder commented Jan 11, 2019

@pwittrock
Copy link
Member

@pwittrock pwittrock commented Jan 11, 2019

Discussion of changes to the UX integration were raised and are being talked through in kubernetes/kubectl#570. The outcome of those discussions will be folded into the KEP before reintegrating: kubernetes/enhancements#684

Additionally there were some security concerns raised that require changes, such as limiting process callouts: kubernetes-sigs/kustomize#683. The new capabilities added by kustomize will be reviewed from a security perspective prior to reintegration.

PR to revert: #72805

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment