kustomize: LoadRestrictionsNone does not disable restrictions on remote bases
When using LoadRestrictionsNone I expect kustomize to be able to refer to kustomizations in git repositories that reference a configuration that is outside of the directory where the kustomization is. If I do a git clone of a repo, the LoadRestrictionsNone flag correctly works. When the same git repo is referenced via a git resource, it does not work.
kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/814HiManny/kustomize/examples/transformerconfigs/images-config-outside/
Expected output
A valid yaml output
Actual output
$> kustomize build --load-restrictor LoadRestrictionsNone ktest-outside/
Error: accumulating resources: accumulation err='accumulating resources from 'https://github.com/814HiManny/kustomize/examples/transformerconfigs/images-config-outside/': yaml: line 175: mapping values are not allowed in this context': recursed accumulation of path '/private/var/folders/rh/5hvkwnmd4g3fb5dl6w0nb2vw0000gn/T/kustomize-843568672/examples/transformerconfigs/images-config-outside': security; file '/private/var/folders/rh/5hvkwnmd4g3fb5dl6w0nb2vw0000gn/T/kustomize-843568672/examples/transformerconfigs/kustomizeconfig/mykind.yaml' is not in or below '/private/var/folders/rh/5hvkwnmd4g3fb5dl6w0nb2vw0000gn/T/kustomize-843568672/examples/transformerconfigs/images-config-outside'
Kustomize version
{Version:kustomize/v4.2.0 GitCommit:d53a2ad45d04b0264bcee9e19879437d851cb778 BuildDate:2021-06-30T22:49:26Z GoOs:darwin GoArch:amd64}
Platform
macOS
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 1
- Comments: 18 (6 by maintainers)
Commits related to this issue
- Copy env file to kube base until there is support for removing load restrictions in remote directories see: https://github.com/kubernetes-sigs/kustomize/issues/4052 — committed to faros-ai/faros-community-edition by thomas-gerber 2 years ago
- Replace symlink with an actual copy of the env file in the kube base (#194) * Copy env file to kube base until there is support for removing load restrictions in remote directories see: https://g... — committed to faros-ai/faros-community-edition by thomas-gerber 2 years ago
I apologize for causing confusion, but I should not have accepted this issue. The fact that the load restrictor cannot be bypassed, even with the flag, for remote bases is an intentional security feature.
https://github.com/kubernetes-sigs/kustomize/blob/master/api/loader/fileloader.go#L210-L211
In general, we recommend localizing remote bases for production use and subjecting them to review. This is even more critical, to the point that we require it, when the remote base requires arbitrary filesystem access. We are working on
kustomize localizefeature to help with workflows like this: https://github.com/kubernetes-sigs/kustomize/blob/master/proposals/22-04-localize-command.md.We would accept documentation or warning message improvements to alleviate the confusion around this, but we will not be changing the behaviour.
/retitle LoadRestrictionsNone does not disable restrictions on remote bases
/triage unresolved /kind documentation /close