Skip to content

fix fnplugin storagemounts validation #5942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 29, 2025
Merged

fix fnplugin storagemounts validation #5942

merged 2 commits into from
Sep 29, 2025
+41 −1

Conversation

@totegamma
Copy link
Contributor

@totegamma totegamma commented Jul 10, 2025
edited
Loading

What type of PR is this?

/kind bug

What this PR does / why we need it:

This PR fixes the path-scope validation for bind mounts.

The current implementation validates that mount paths are under the current kustomization directory with strings.HasPrefix(filepath.Clean(mount.Src), "../") but filepath.Clean("../") returns ".." so the check doesn’t work when mounts.src is exactly "../"

like

apiVersion: com.example.kustomize/v1
kind: Test
metadata:
  name: test-transformer
  annotations:
    config.kubernetes.io/function: |
      container:
        image: test
        mounts:
          - type: bind
            src: ../
            dst: /mount

https://go.dev/play/p/7YfrHGwOKnf

Other considerations

The current implementation lets '../' pass, so running kustomize build subdir instead of kustomize build . can read files in the current working directory—that is, the parent of the kustomization file—yet even this unintended reach justifies a fix.

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 10, 2025
@k8s-ci-robot k8s-ci-robot requested review from koba1t and ncapps July 10, 2025 13:28
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 10, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jul 10, 2025

Welcome @totegamma!

It looks like this is your first PR to kubernetes-sigs/kustomize 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kustomize has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 10, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jul 10, 2025

Hi @totegamma. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 10, 2025
@koba1t
Copy link
Member

koba1t commented Aug 17, 2025

Hi @totegamma

Thanks for open PR.
Please add tests that reproduce the issue this PR fixes, following the guide below.

https://github.com/kubernetes-sigs/kustomize/blob/master/CONTRIBUTING.md#reviewer-guide

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Sep 11, 2025

This PR has multiple commits, and the default merge method is: merge.
You can request commits to be squashed using the label: tide/merge-method-squash

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Sep 11, 2025
@koba1t
Copy link
Member

koba1t commented Sep 29, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 29, 2025
@koba1t
Copy link
Member

koba1t commented Sep 29, 2025

Hi @totegamma
Thanks for your help!
I think this change is valuable and almost looks good for me.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 29, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Sep 29, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: koba1t, totegamma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 29, 2025
@k8s-ci-robot k8s-ci-robot merged commit b62d746 into kubernetes-sigs:master Sep 29, 2025
11 checks passed
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Nov 14, 2025
@tmeijn
build(deps): update kubernetes-sigs/kustomize to v5.8.0
4d236f1 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [kubernetes-sigs/kustomize](https://github.com/kubernetes-sigs/kustomize) | minor | `v5.7.1` -> `v5.8.0` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>kubernetes-sigs/kustomize (kubernetes-sigs/kustomize)</summary>

### [`v5.8.0`](https://github.com/kubernetes-sigs/kustomize/releases/tag/kustomize/v5.8.0)

[Compare Source](kubernetes-sigs/kustomize@kustomize/v5.7.1...kustomize/v5.8.0)

### Highlights

##### implements to replacements value in the structured data

Now, We can edit yaml/json in yaml manifests with replacements transformer.
See [#&#8203;5679](kubernetes-sigs/kustomize#5679)

##### For example

```yaml

## source
apiVersion: v1
kind: ConfigMap
metadata:
  name: source-configmap
data:
  HOSTNAME: www.example.com
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: target-configmap
data:
  config.json: |-
    {"config": {
      "id": "42",
      "hostname": "REPLACE_TARGET_HOSTNAME"
    }}
```

```yaml

## replacement
replacements:
- source:
    kind: ConfigMap
    name: source-configmap
    fieldPath: data.HOSTNAME
  targets:
  - select:
      kind: ConfigMap
      name: target-configmap
    fieldPaths:
    - data.config\.json.config.hostname
```

##### fix: Propagate Namespace correctly to Helm

The long-standing bug where kustomize's namespace transformer did not pass namespaces to helmCharts has been fixed.
See [#&#8203;5940](kubernetes-sigs/kustomize#5940)

##### For example

```yaml

## define namespace
namespace: any-namespace

helmCharts:
- name: minecraft
  repo: https://kubernetes-charts.storage.googleapis.com
  version: v1.2.0
  # namespace: any-namespace   ## propagates without additional namespace specific
  valuesFile: values.yaml
```

#### Feature

[#&#8203;5679](kubernetes-sigs/kustomize#5679): implements to replacements value in the structured data
[#&#8203;5863](kubernetes-sigs/kustomize#5863): Add regex support for Replacement selectors
[#&#8203;5930](kubernetes-sigs/kustomize#5930): feat: add PatchArgs API type to populate patch options

#### fix

[#&#8203;5940](kubernetes-sigs/kustomize#5940): fix: Propagate Namespace correctly to Helm
[#&#8203;5971](kubernetes-sigs/kustomize#5971): fix: performance recession when propagating namespace to helm
[#&#8203;5942](kubernetes-sigs/kustomize#5942): fix fnplugin storagemounts validation
[#&#8203;5958](kubernetes-sigs/kustomize#5958): fix: make AbsorbAll conflict error more verbose
[#&#8203;5961](kubernetes-sigs/kustomize#5961): refactor: nested format string
[#&#8203;5967](kubernetes-sigs/kustomize#5967): Fix infinite loop in HTTP client by validating URLs before requests
[#&#8203;5985](kubernetes-sigs/kustomize#5985): fix(kyaml/yaml): minor nil safety fix for RNode.Content etc
[#&#8203;5991](kubernetes-sigs/kustomize#5991): Fix duplicate key error when adding multiple labels with --without-selector

#### Dependencies

[#&#8203;5962](kubernetes-sigs/kustomize#5962): chore: update dependencies from security alert
[#&#8203;5959](kubernetes-sigs/kustomize#5959): update go 1.24.6

#### chore

[#&#8203;6007](kubernetes-sigs/kustomize#6007): Update kyaml to v0.21.0
[#&#8203;6008](kubernetes-sigs/kustomize#6008): Update cmd/config to v0.21.0
[#&#8203;6009](kubernetes-sigs/kustomize#6009): Update api to v0.21.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@koba1t koba1t Awaiting requested review from koba1t

@ncapps ncapps Awaiting requested review from ncapps

Assignees

@koba1t koba1t

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@totegamma @k8s-ci-robot @koba1t