pulumi · lblackstone · May 24, 2023 · May 23, 2023 · May 23, 2023 · May 23, 2023
diff --git a/provider/cmd/pulumi-resource-kubernetes/schema.json b/provider/cmd/pulumi-resource-kubernetes/schema.json
@@ -499,6 +499,10 @@
                 "type": "string",
                 "description": "BETA FEATURE - If present, render resource manifests to this directory. In this mode, resources will not\nbe created on a Kubernetes cluster, but the rendered manifests will be kept in sync with changes\nto the Pulumi program. This feature is in developer preview, and is disabled by default.\n\nNote that some computed Outputs such as status fields will not be populated\nsince the resources are not created on a Kubernetes cluster. These Output values will remain undefined,\nand may result in an error if they are referenced by other resources. Also note that any secret values\nused in these resources will be rendered in plaintext to the resulting YAML."
             },
+            "strictMode": {
+                "type": "boolean",
+                "description": "If present and set to true, the provider will use strict configuration mode. Recommended for production stacks. In this mode, the default Kubernetes provider is disabled, and the `kubeconfig` and `context` settings are required for Provider configuration. These settings unambiguously ensure that every Kubernetes resource is associated with a particular cluster."
+            },
             "suppressDeprecationWarnings": {
                 "type": "boolean",
                 "description": "If present and set to true, suppress apiVersion deprecation warnings from the CLI.\n\nThis config can be specified in the following ways, using this precedence:\n1. This `suppressDeprecationWarnings` parameter.\n2. The `PULUMI_K8S_SUPPRESS_DEPRECATION_WARNINGS` environment variable."

diff --git a/provider/pkg/gen/schema.go b/provider/pkg/gen/schema.go
@@ -102,6 +102,10 @@ func PulumiSchema(swagger map[string]interface{}) pschema.PackageSpec {
 					Description: "If present and set to true, suppress unsupported Helm hook warnings from the CLI.\n\nThis config can be specified in the following ways, using this precedence:\n1. This `suppressHelmHookWarnings` parameter.\n2. The `PULUMI_K8S_SUPPRESS_HELM_HOOK_WARNINGS` environment variable.",
 					TypeSpec:    pschema.TypeSpec{Type: "boolean"},
 				},
+				"strictMode": {
+					Description: "If present and set to true, the provider will use strict configuration mode. Recommended for production stacks. In this mode, the default Kubernetes provider is disabled, and the `kubeconfig` and `context` settings are required for Provider configuration. These settings unambiguously ensure that every Kubernetes resource is associated with a particular cluster.",
+					TypeSpec:    pschema.TypeSpec{Type: "boolean"},
+				},
 			},
 		},
 

diff --git a/provider/pkg/provider/provider.go b/provider/pkg/provider/provider.go
@@ -48,6 +48,7 @@ import (
 	"github.com/pulumi/pulumi-kubernetes/provider/v3/pkg/openapi"
 	"github.com/pulumi/pulumi-kubernetes/provider/v3/pkg/ssa"
 	pulumischema "github.com/pulumi/pulumi/pkg/v3/codegen/schema"
+	"github.com/pulumi/pulumi/pkg/v3/resource/deploy/providers"
 	"github.com/pulumi/pulumi/pkg/v3/resource/provider"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/diag"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
@@ -256,6 +257,44 @@ func (k *kubeProvider) CheckConfig(ctx context.Context, req *pulumirpc.CheckRequ
 		return false
 	}
 
+	strictMode := false
+	if pConfig, ok := k.loadPulumiConfig(); ok {
+		if v, ok := pConfig["strictMode"]; ok {
+			if v, ok := v.(string); ok {
+				strictMode = v == "true"
+			}
+		}
+	}
+	if v := news["strictMode"]; v.HasValue() && v.IsString() {
+		strictMode = v.StringValue() == "true"
+	}
+
+	if strictMode && providers.IsProviderType(urn.Type()) {
+		var failures []*pulumirpc.CheckFailure
+
+		if providers.IsDefaultProvider(urn) {
+			failures = append(failures, &pulumirpc.CheckFailure{
+				Reason: fmt.Sprintf("strict mode prohibits default provider"),
+			})
+		}
+		if v := news["kubeconfig"]; !v.HasValue() || v.StringValue() == "" {
+			failures = append(failures, &pulumirpc.CheckFailure{
+				Property: "kubeconfig",
+				Reason:   fmt.Sprintf(`strict mode requires Provider "kubeconfig" argument`),
+			})
+		}
+		if v := news["context"]; !v.HasValue() || v.StringValue() == "" {
+			failures = append(failures, &pulumirpc.CheckFailure{
+				Property: "context",
+				Reason:   fmt.Sprintf(`strict mode requires Provider "context" argument`),
+			})
+		}
+
+		if len(failures) > 0 {
+			return &pulumirpc.CheckResponse{Inputs: req.GetNews(), Failures: failures}, nil
+		}
+	}
+
 	renderYamlEnabled := truthyValue("renderYamlToDirectory", news)
 
 	errTemplate := `%q arg is not compatible with "renderYamlToDirectory" arg`
@@ -2867,6 +2906,28 @@ func (k *kubeProvider) gvkExists(obj *unstructured.Unstructured) bool {
 	return true
 }
 
+// loadPulumiConfig loads the PULUMI_CONFIG environment variable set by the engine, unmarshals the JSON string into
+// a map, and returns the map and a bool indicating if the operation succeeded.
+func (k *kubeProvider) loadPulumiConfig() (map[string]interface{}, bool) {
+	configStr, ok := os.LookupEnv("PULUMI_CONFIG")
+	// PULUMI_CONFIG is not set on older versions of the engine, so check if the lookup succeeds.
+	if !ok || configStr == "" {
+		return nil, false
+	}
+
+	// PULUMI_CONFIG should be a JSON string that looks something like this:
+	// {"enableServerSideApply":"true","kubeClientSettings":"{\"burst\":120,\"qps\":50}","strictMode":"true"}
+	// The keys correspond to any project/stack config with a "kubernetes" prefix.
+	var pConfig map[string]interface{}
+	err := json.Unmarshal([]byte(configStr), &pConfig)
+	if err != nil {
+		logger.V(3).Infof("failed to load provider config from PULUMI_CONFIG")
+		return nil, false
+	}
+
+	return pConfig, true
+}
+
 func mapReplStripSecrets(v resource.PropertyValue) (interface{}, bool) {
 	if v.IsSecret() {
 		return v.SecretValue().Element.MapRepl(nil, mapReplStripSecrets), true

diff --git a/sdk/dotnet/Config/Config.cs b/sdk/dotnet/Config/Config.cs
@@ -151,6 +151,16 @@ public void Set(T value)
             set => _renderYamlToDirectory.Set(value);
         }
 
+        private static readonly __Value<bool?> _strictMode = new __Value<bool?>(() => __config.GetBoolean("strictMode"));
+        /// <summary>
+        /// If present and set to true, the provider will use strict configuration mode. Recommended for production stacks. In this mode, the default Kubernetes provider is disabled, and the `kubeconfig` and `context` settings are required for Provider configuration. These settings unambiguously ensure that every Kubernetes resource is associated with a particular cluster.
+        /// </summary>
+        public static bool? StrictMode
+        {
+            get => _strictMode.Get();
+            set => _strictMode.Set(value);
+        }
+
         private static readonly __Value<bool?> _suppressDeprecationWarnings = new __Value<bool?>(() => __config.GetBoolean("suppressDeprecationWarnings"));
         /// <summary>
         /// If present and set to true, suppress apiVersion deprecation warnings from the CLI.

diff --git a/sdk/go/kubernetes/config/config.go b/sdk/go/kubernetes/config/config.go
diff --git a/sdk/java/src/main/java/com/pulumi/kubernetes/Config.java b/sdk/java/src/main/java/com/pulumi/kubernetes/Config.java
@@ -100,6 +100,13 @@ public Optional<String> namespace() {
     public Optional<String> renderYamlToDirectory() {
         return Codegen.stringProp("renderYamlToDirectory").config(config).get();
     }
+/**
+ * If present and set to true, the provider will use strict configuration mode. Recommended for production stacks. In this mode, the default Kubernetes provider is disabled, and the `kubeconfig` and `context` settings are required for Provider configuration. These settings unambiguously ensure that every Kubernetes resource is associated with a particular cluster.
+ * 
+ */
+    public Optional<Boolean> strictMode() {
+        return Codegen.booleanProp("strictMode").config(config).get();
+    }
 /**
  * If present and set to true, suppress apiVersion deprecation warnings from the CLI.
  * 

diff --git a/tests/sdk/nodejs/nodejs_test.go b/tests/sdk/nodejs/nodejs_test.go
@@ -1338,3 +1338,67 @@ func TestServiceAccountTokenSecret(t *testing.T) {
 	})
 	integration.ProgramTest(t, &test)
 }
+
+func TestStrictMode(t *testing.T) {
+	test := baseOptions.With(integration.ProgramTestOptions{
+		Dir:           filepath.Join("strict-mode", "step1"),
+		Quick:         true,
+		ExpectFailure: true,
+		SkipRefresh:   true,
+		OrderedConfig: []integration.ConfigValue{
+			{
+				Key:   "kubernetes:strictMode",
+				Value: "true",
+			},
+		},
+		ExtraRuntimeValidation: func(t *testing.T, stackInfo integration.RuntimeValidationStackInfo) {
+			// Check the event stream for a diagnostic event showing that a default provider is prohibited.
+			foundMessage := false
+			msg := "strict mode prohibits default provider"
+			for _, e := range stackInfo.Events {
+				if e.DiagnosticEvent != nil && strings.Contains(e.DiagnosticEvent.Message, msg) {
+					foundMessage = true
+					break
+				}
+			}
+			assert.Truef(t, foundMessage, "did not find expected failure message: %q", msg)
+		},
+		EditDirs: []integration.EditDir{
+			{
+				Dir:           filepath.Join("strict-mode", "step2"),
+				Additive:      true,
+				ExpectFailure: true,
+				ExtraRuntimeValidation: func(t *testing.T, stackInfo integration.RuntimeValidationStackInfo) {
+					// Check the event stream for a diagnostic event showing that a Provider requires a "context".
+					foundMessage := false
+					msg := `strict mode requires Provider "context" argument`
+					for _, e := range stackInfo.Events {
+						if e.DiagnosticEvent != nil && strings.Contains(e.DiagnosticEvent.Message, msg) {
+							foundMessage = true
+							break
+						}
+					}
+					assert.Truef(t, foundMessage, "did not find expected failure message: %q", msg)
+				},
+			},
+			{
+				Dir:           filepath.Join("strict-mode", "step3"),
+				Additive:      true,
+				ExpectFailure: true,
+				ExtraRuntimeValidation: func(t *testing.T, stackInfo integration.RuntimeValidationStackInfo) {
+					// Check the event stream for a diagnostic event showing that a Provider requires a "kubeconfig".
+					foundMessage := false
+					msg := `strict mode requires Provider "kubeconfig" argument`
+					for _, e := range stackInfo.Events {
+						if e.DiagnosticEvent != nil && strings.Contains(e.DiagnosticEvent.Message, msg) {
+							foundMessage = true
+							break
+						}
+					}
+					assert.Truef(t, foundMessage, "did not find expected failure message: %q", msg)
+				},
+			},
+		},
+	})
+	integration.ProgramTest(t, &test)
+}
diff --git a/tests/sdk/nodejs/strict-mode/step1/Pulumi.yaml b/tests/sdk/nodejs/strict-mode/step1/Pulumi.yaml
@@ -0,0 +1,3 @@
+name: strict-mode
+description: Tests strict mode provider configuration.
+runtime: nodejs
diff --git a/tests/sdk/nodejs/strict-mode/step1/index.ts b/tests/sdk/nodejs/strict-mode/step1/index.ts
@@ -0,0 +1,25 @@
+// Copyright 2016-2023, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as k8s from "@pulumi/kubernetes";
+
+// This test validates the following restrictions enforced by "strict mode":
+// 1. Default providers are not allowed.
+// 2. Each Provider requires a "kubeconfig" argument.
+// 3. Each Provider requires a "context" argument.
+
+// Create a ConfigMap using the default provider.
+new k8s.core.v1.ConfigMap("default", {
+    data: {foo: "bar"},
+});
diff --git a/tests/sdk/nodejs/strict-mode/step1/package.json b/tests/sdk/nodejs/strict-mode/step1/package.json
@@ -0,0 +1,12 @@
+{
+  "name": "strict-mode",
+  "version": "0.1.0",
+  "dependencies": {
+    "@pulumi/pulumi": "latest"
+  },
+  "devDependencies": {
+  },
+  "peerDependencies": {
+    "@pulumi/kubernetes": "latest"
+  }
+}
diff --git a/tests/sdk/nodejs/strict-mode/step1/tsconfig.json b/tests/sdk/nodejs/strict-mode/step1/tsconfig.json
@@ -0,0 +1,22 @@
+{
+    "compilerOptions": {
+        "outDir": "bin",
+        "target": "es6",
+        "module": "commonjs",
+        "moduleResolution": "node",
+        "declaration": true,
+        "sourceMap": true,
+        "stripInternal": true,
+        "experimentalDecorators": true,
+        "pretty": true,
+        "noFallthroughCasesInSwitch": true,
+        "noImplicitAny": true,
+        "noImplicitReturns": true,
+        "forceConsistentCasingInFileNames": true,
+        "strictNullChecks": true
+    },
+    "files": [
+        "index.ts"
+    ]
+}
+
diff --git a/tests/sdk/nodejs/strict-mode/step2/index.ts b/tests/sdk/nodejs/strict-mode/step2/index.ts
@@ -0,0 +1,25 @@
+// Copyright 2016-2023, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as k8s from "@pulumi/kubernetes";
+
+// This test validates the following restrictions enforced by "strict mode":
+// 1. Default providers are not allowed.
+// 2. Each Provider requires a "context" argument.
+// 3. Each Provider requires a "kubeconfig" argument.
+
+// Create a new provider with no context specified.
+new k8s.Provider("missingContext", {
+    kubeconfig: "~/.kube/config",
+});
diff --git a/tests/sdk/nodejs/strict-mode/step3/index.ts b/tests/sdk/nodejs/strict-mode/step3/index.ts
@@ -0,0 +1,25 @@
+// Copyright 2016-2023, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import * as k8s from "@pulumi/kubernetes";
+
+// This test validates the following restrictions enforced by "strict mode":
+// 1. Default providers are not allowed.
+// 2. Each Provider requires a "context" argument.
+// 3. Each Provider requires a "kubeconfig" argument.
+
+// Create a new provider with no kubeconfig specified.
+new k8s.Provider("missingKubeconfig", {
+    context: "test",
+});