New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable kustomize in kubectl #70875

Merged
merged 7 commits into from Dec 19, 2018

Conversation

@Liujingfang1
Copy link
Contributor

Liujingfang1 commented Nov 9, 2018

What type of PR is this?
/kind feature

What this PR does / why we need it:
This PR is the implementation of KEP to enable kustomize in kubectl.

When -f <dir> is passed to a kubectl command, it will look for a kustomization.yaml file. If kustomization.yaml is found, a kustomize build will be run to get the list of expanded resources. This list of resources is then passed to kubectl commands. If there is no kustomization.yaml in the directory, kubectl will behave the same as current.

To apply a kustomization directory

kubectl apply -f <dir>

To get resources of a kustomization directory applied to a cluster

kubectl get -f <dir>

To delete a kustomization directory applied to a cluster

kubectl delete -f <dir>

Special notes for your reviewer:

This PR contains 6 commits.

  • The first three of them is to vendor kustomize.
  • The 4th commit is the change in resource builder to use Kustomization when it it enabled.
  • The 5th one adds some unit test for Builder.
  • The 6th commit is to enable kustomization in kubectl commands.

Kubectl will have kustomization enabled by default.
Other cli-runtime consumers may choose if they want to enable or not kustomization by a Boolean variable.

Does this PR introduce a user-facing change?:
NONE

Enable customize in kubectl: kubectl will be able to recognize directories with kustomization.YAML
@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Nov 9, 2018

Hi @Liujingfang1. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@Liujingfang1

This comment has been minimized.

Copy link
Contributor

Liujingfang1 commented Nov 9, 2018

@k8s-ci-robot k8s-ci-robot requested review from pwittrock , seans3 and soltysh Nov 9, 2018

@Liujingfang1

This comment has been minimized.

Copy link
Contributor

Liujingfang1 commented Nov 9, 2018

/cc @monopole

@k8s-ci-robot k8s-ci-robot requested a review from monopole Nov 9, 2018

@Liujingfang1 Liujingfang1 changed the title Enable kustomize Enable kustomize in kubectl Nov 9, 2018

@@ -452,7 +457,10 @@ func ExpandPathsToFileVisitors(mapper *mapper, paths string, recursive bool, ext
if err != nil {
return err
}

if isKustomizationDir(path) {

This comment has been minimized.

@smarterclayton

smarterclayton Nov 10, 2018

Contributor

I don't think this is backwards compatible. Anyone using kubectl create -f DIR will see something different happen after this change lands, which means existing CLI workflows could break.

This comment has been minimized.

@justinsb

justinsb Nov 11, 2018

Member

I just tested the behaviour. kubectl create and kubectl apply both fail with a kustomization.yaml present:

error: error validating ".../k8s.io/examples/guestbook-go/kustomization.yaml": error validating data: [apiVersion not set, kind not set]; if you choose to ignore these errors, turn validation off with --validate=false

It looks like we have a separate issue, which is that we don't validate all files before starting to apply, which is contrary to what I would have expected.

But I don't think users can be using kubectl create -f DIR or kubectl apply -f DIR today with a dir containing kustomization.yaml.

This comment has been minimized.

@Liujingfang1

Liujingfang1 Nov 12, 2018

Contributor

@smarterclayton The existing kubectl doesn't work with directories with a kustomization.yaml as @justinsb explained. With this PR, kubectl will be able to recognize a directory with a kustomization.yaml. For any directories without kustomization.yaml, there is no change in kubectl's behavior.

This comment has been minimized.

@smarterclayton

smarterclayton Nov 13, 2018

Contributor

If someone has validate=false off, what happens? If it also fails, then my primary concern is addressed.

This comment has been minimized.

@Liujingfang1

Liujingfang1 Nov 13, 2018

Contributor

With validate=false, it fails with similar error

error: unable to decode "kustomization.yaml": Object 'Kind' is missing in `<truncated>`

@Liujingfang1 Liujingfang1 force-pushed the Liujingfang1:enable-kustomize branch 2 times, most recently from a401eca to b426d83 Nov 12, 2018

@seans3

This comment has been minimized.

Copy link
Contributor

seans3 commented Nov 12, 2018

/ok-to-test

@Liujingfang1 Liujingfang1 force-pushed the Liujingfang1:enable-kustomize branch 2 times, most recently from 90bac14 to 3c4901b Nov 12, 2018

@k8s-ci-robot k8s-ci-robot removed the lgtm label Dec 17, 2018

@Liujingfang1

This comment has been minimized.

Copy link
Contributor

Liujingfang1 commented Dec 17, 2018

As discussed offline, we can remove the opt out. I added a commit for that. @pwittrock PTAL

@Liujingfang1

This comment has been minimized.

Copy link
Contributor

Liujingfang1 commented Dec 17, 2018

/retest

2 similar comments
@Liujingfang1

This comment has been minimized.

Copy link
Contributor

Liujingfang1 commented Dec 18, 2018

/retest

@Liujingfang1

This comment has been minimized.

Copy link
Contributor

Liujingfang1 commented Dec 18, 2018

/retest

@BenTheElder

This comment has been minimized.

Copy link
Member

BenTheElder commented Dec 18, 2018

/test pull-kubernetes-godeps

@@ -463,7 +471,10 @@ func ExpandPathsToFileVisitors(mapper *mapper, paths string, recursive bool, ext
if path != paths && ignoreFile(path, extensions) {
return nil
}

if filepath.Base(path) == constants.KustomizationFileName {

This comment has been minimized.

@pwittrock

pwittrock Dec 18, 2018

Member

This will be changed to check the GVK of the kustomization file in an immediate follow up.

fSys := fs.MakeRealFS()
f := k8sdeps.NewFactory()
var out bytes.Buffer
cmd := build.NewCmdBuild(&out, fSys, f.ResmapF, f.TransformerF)

This comment has been minimized.

@pwittrock

pwittrock Dec 18, 2018

Member

In an immediate follow up this should be a library that takes options.

@pwittrock

This comment has been minimized.

Copy link
Member

pwittrock commented Dec 18, 2018

/approve

@pwittrock

This comment has been minimized.

Copy link
Member

pwittrock commented Dec 18, 2018

/lgtm

@pwittrock

This comment has been minimized.

Copy link
Member

pwittrock commented Dec 18, 2018

Follow up issues tracked here:
kubernetes/kubectl#570

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Dec 18, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Liujingfang1, pwittrock, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@pwittrock

This comment has been minimized.

Copy link
Member

pwittrock commented Dec 18, 2018

/hold cancel

@pwittrock

This comment has been minimized.

Copy link
Member

pwittrock commented Dec 18, 2018

@soltysh removing hold. @JiangtianLi is working on a follow up.

@Liujingfang1

This comment has been minimized.

Copy link
Contributor

Liujingfang1 commented Dec 19, 2018

/test pull-kubernetes-integration

@pwittrock

This comment has been minimized.

Copy link
Member

pwittrock commented Dec 19, 2018

/test

@pwittrock

This comment has been minimized.

Copy link
Member

pwittrock commented Dec 19, 2018

/test pull-kubernetes-e2e-gce

@k8s-ci-robot k8s-ci-robot merged commit be5a1fb into kubernetes:master Dec 19, 2018

19 checks passed

cla/linuxfoundation Liujingfang1 authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-e2e-kubeadm-gce Skipped
pull-kubernetes-godeps Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details
@anguslees

This comment has been minimized.

Copy link
Member

anguslees commented Jan 11, 2019

I'm only just learning about kustomize, but I am a bit alarmed about what I'm reading and the implications for this PR. With this PR, can I just pwn the world by putting a malicious kustomize.yaml in a popular manifest examples site somewhere?

Consider:

# kustomize.yaml - don't try this at home.
secretGenerator:
- name: allyourbase
  commands:
    # or any other malicious command
    foo: "echo backdoorkey >> $HOME/.ssh/authorized_keys"

In particular, with this PR, I think kubectl apply -f http://that/repo" suddenly becomes able to modify the local machine, not just the target cluster, even with --dry-run.

@BenTheElder

This comment has been minimized.

Copy link
Member

BenTheElder commented Jan 11, 2019

@pwittrock

This comment has been minimized.

Copy link
Member

pwittrock commented Jan 11, 2019

Discussion of changes to the UX integration were raised and are being talked through in kubernetes/kubectl#570. The outcome of those discussions will be folded into the KEP before reintegrating: kubernetes/enhancements#684

Additionally there were some security concerns raised that require changes, such as limiting process callouts: kubernetes-sigs/kustomize#683. The new capabilities added by kustomize will be reviewed from a security perspective prior to reintegration.

PR to revert: #72805

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment