Kustomize v2.0.0

After security review, a field used in secret generation (see below) was removed from the definition of a kustomization file with no mechanism to convert it to a new form. Also, the set of files accessible from a kustomization file has been further constrained.

Per the versioning policy, backward incompatible changes trigger an increment of the major version number, hence we go from 1.0.11 to 2.0.0. We’re taking this major version increment opportunity to remove some already deprecated fields, and the code paths associated with them.

Backward Incompatible Changes

Kustomization Path Constraints

A kustomization file can specify paths to other files, including resources, patches, configmap generation data, secret generation data and bases. In the case of a base, the path can be a git URL instead.

In 1.x, these paths had to be relative to the current kustomization directory (the location of the kustomization file used in the build command).

In 2.0, bases can continue to specify, via relative paths, kustomizations outside the current kustomization directory. But non-base paths are constrained to terminate in or below the current kustomization directory. Further, bases specified via a git URL may not reference files outside of the directory used to clone the repository.

Kustomization Field Removals


patches was deprecated and replaced by patchesStrategicMerge when patchesJson6902 was introduced. In Kustomize 2.0.0, patches is removed. Please use patchesStrategicMerge instead.


imageTags is replaced by images since images can provide more features to change image names, registries, tags and digests.


commands is removed from SecretGenerator due to a security concern. One can use files or literals, similar to ConfigMapGenerator, to generate a secret.

- name: app-tls
    - secret/tls.cert
    - secret/tls.key
  type: ""

Compatible Changes (New Features)

As this release is triggered by a security change, there are no major new features to announce. A few things that are worth mentioning in this release are:

  • More than 40 issues closed since 1.0.11 release (including many extensions to transformation rules).

  • Users can run kustomize edit fix to migrate a kustomization file working with previous versions to one working with 2.0.0. For example, a kustomization.yaml with following content

      - deployment-patch.yaml
      - name: postgres
        newTag: v1

    will be converted to

    kind: Kustomization
      - deployment-patch.yaml
      - name: postgres
        newTag: v1
  • Kustomization filename

    In previous versions, the name of a kustomization file had to be kustomization.yaml. Kustomize allows kustomization.yaml, kustomization.yml and Kustomization. In a directory, only one of those filenames is allowed. If there are more than one found, Kustomize will exit with an error. Please select the best filename for your use cases.

  • Cancelled plans to deprecate applying prefix/suffix to namespace. The deprecation warning

    Adding nameprefix and namesuffix to Namespace resource will be deprecated in next release.

    was removed.