security: file ‘foo’ is not in or below ‘bar’
v2.0 added a security check that prevents kustomizations from reading files outside their own directory root.
This was meant to help protect the person inclined to download kustomization directories from the web and use them without inspection to control their production cluster (see #693, #700, #995 and #998)
Resources (including configmap and secret generators)
can still be shared via the recommended best practice
of placing them in a directory with their own
kustomization file, and referring to this directory as a
base from any kustomization that
wants to use it. This encourages modularity and
To disable this, use v3, and the
kustomize build --load_restrictor none $target
Some field is not transformed by kustomize
The fields transformed by kustomize is configured explicitly in defaultconfig. The configuration itself can be customized by including
apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization configurations: - kustomizeconfig.yaml
The configuration directive allows customization of the following transformers:
commonAnnotations:  commonLabels:  nameprefix:  namespace:  varreference:  namereference:  images:  replicas: 
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.