FAQ

security: file ‘foo’ is not in or below ‘bar’

v2.0 added a security check that prevents kustomizations from reading files outside their own directory root.

This was meant to help protect the person inclined to download kustomization directories from the web and use them without inspection to control their production cluster (see #693, #700, #995 and #998)

Resources (including configmap and secret generators) can still be shared via the recommended best practice of placing them in a directory with their own kustomization file, and referring to this directory as a base from any kustomization that wants to use it. This encourages modularity and relocatability.

To disable this in v3, use the load_restrictor flag:

kustomize build --load_restrictor none $target

Some field is not transformed by kustomize

Example: #1319, #1322, #1347 and etc.

The fields transformed by kustomize is configured explicitly in defaultconfig. The configuration itself can be customized by including configurations in kustomization.yaml, e.g.

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
configurations:
- kustomizeconfig.yaml

The configuration directive allows customization of the following transformers:

commonAnnotations: []
commonLabels: []
nameprefix: []
namespace: []
varreference: []
namereference: []
images: []
replicas: []

To persist the changes to default configuration, submit a PR like #1338, #1348 and etc.


最后修改 2023年02月01日: Update references for kustomize v5 (56153e2)