Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
When constructing a Kustomize-based Bundle that includes patches in the root kustomization.yaml and sets kustomize.dir: . in fleet.yaml, Fleet erroneously reports a Kustomize security error:
error while running post render on files: trouble configuring builtin PatchTransformer with config: `
<patch YAML>
`: security; file 'patches/patch.yaml' is not in or below ''
This is despite being able to run kustomize build . successfully (without getting this security error) in the source code.
Moving everything to a sub-directory in the Bundle and updating fleet.yaml to use kustomize.dir: ./some-directory works as expected. So the issue has something to do with how . is treated when Fleet builds a Kustomize bundle.
A detailed framework for reproducing the bug is given below.
Expected Behavior
It should be possible to construct a Fleet bundle where fleet.yaml contains
kustomize:
dir: .
while retaining full functionality of Kustomize.
Steps To Reproduce
Create a Fleet bundle in a git repository containing the following files.
./fleet.yaml
defaultNamespace: kube-system
kustomize:
dir: .
./kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- general
patches:
- path: patches/patch.yaml
target:
kind: ConfigMap
annotationSelector: "test-annotation=kustomize"
./patches/patch.yaml
- op: add
path: /data/dynamic-item
value: added by patch
./general/kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- test
./general/test/kustomization.yaml
resources:
- resource.yaml
./general/test/resource.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: test-cm
annotations:
test-annotation: kustomize
data:
static-key: "in the original resource"
The behavior of this Kustomize setup should be that a single ConfigMap is generated, with two keys, static-key (which is in the original resource) and dynamic-item (which is added by the patch referenced in the root kustomization.yaml and selected by annotation).
Observe that building the Kustomize tree works as expected in the source code:
$ kustomize build .
apiVersion: v1
data:
dynamic-item: added by patch <-- dynamic-item was added by the patch defined in the root kustomization.yaml
static-key: in the original resource
kind: ConfigMap
metadata:
annotations:
test-annotation: kustomize
name: test-cm
But now try to reference this git repository in a GitRepo, and the GitRepo fails with this error:
display:
error: true
message: |-
error while running post render on files: trouble configuring builtin PatchTransformer with config: `
path: patches/patch.yaml
target:
annotationSelector: test-annotation=kustomize
kind: ConfigMap
`: security; file 'patches/patch.yaml' is not in or below ''
readyBundleDeployments: 0/12
state: ErrApplied
Observe the is not in or below '' -- the . seems to have been removed and so Kustomize doesn't seem to know what its root directory is, and so it's kicking back a security error because it doesn't realize that patches/patch.yaml is "below" the kustomization.yaml that sourced it.
Now move everything in the repository to a subdirectory:
$ mkdir kustomize
$ git mv general patches kustomization.yaml kustomize
$ sed -i -e 's@dir: .@dir: ./kustomize@' fleet.yaml
$ git add fleet.yaml
$ git commit
$ git push
And now Fleet deploys the resources correctly. Without changing a single thing about the Kustomize configuration, except to move it under a subdirectory.
Environment
- Architecture: x86_64
- Fleet Version: 0.7.0 (Rancher 2.7.5)
- Cluster:
- Provider: RKE1
- Kubernetes Version: 1.23.16Logs
No response
Anything else?
No response
Metadata
Metadata
Assignees
Type
Projects
Status