After security review, a field used in secret generation (see below) was removed from the definition of a kustomization file with no mechanism to convert it to a new form. Also, the set of files accessible from a kustomization file has been further constrained.
Per the versioning policy, backward incompatible changes trigger an increment of the major version number, hence we go from 1.0.11 to 2.0.0. We’re taking this major version increment opportunity to remove some already deprecated fields, and the code paths associated with them.
Backward Incompatible Changes
Kustomization Path Constraints
A kustomization file can specify paths to other files, including resources, patches, configmap generation data, secret generation data and bases. In the case of a base, the path can be a git URL instead.
In 1.x, these paths had to be relative to the
current kustomization directory (the location of
the kustomization file used in the
In 2.0, bases can continue to specify, via relative paths, kustomizations outside the current kustomization directory. But non-base paths are constrained to terminate in or below the current kustomization directory. Further, bases specified via a git URL may not reference files outside of the directory used to clone the repository.
Kustomization Field Removals
patches was deprecated and replaced by
introduced. In Kustomize 2.0.0,
removed. Please use
imageTags is replaced by
can provide more features to change image names,
registries, tags and digests.
commands is removed from SecretGenerator due to
a security concern. One can use
literals, similar to ConfigMapGenerator, to
generate a secret.
secretGenerator: - name: app-tls files: - secret/tls.cert - secret/tls.key type: "kubernetes.io/tls"
Compatible Changes (New Features)
As this release is triggered by a security change, there are no major new features to announce. A few things that are worth mentioning in this release are:
More than 40 issues closed since 1.0.11 release (including many extensions to transformation rules).
Users can run
kustomize edit fixto migrate a kustomization file working with previous versions to one working with 2.0.0. For example, a kustomization.yaml with following content
patches: - deployment-patch.yaml imageTags: - name: postgres newTag: v1
will be converted to
apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization patchesStrategicMerge: - deployment-patch.yaml images: - name: postgres newTag: v1
In previous versions, the name of a kustomization file had to be
kustomization.yaml. Kustomize allows
Kustomization. In a directory, only one of those filenames is allowed. If there are more than one found, Kustomize will exit with an error. Please select the best filename for your use cases.
Cancelled plans to deprecate applying prefix/suffix to namespace. The deprecation warning
Adding nameprefix and namesuffix to Namespace resource will be deprecated in next release.