controllers: use own Kustomize FS implementation

For details, see: fluxcd/pkg#262 Signed-off-by: Hidde Beydals <hello@hidde.co>
fluxcd · Apr 15, 2022 · 467a55c · 467a55c
1 parent ad91006
commit 467a55c
Show file tree

Hide file tree

Showing 5 changed files with 119 additions and 34 deletions.
diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go
@@ -31,6 +31,7 @@ import (
 	"time"
 
 	securejoin "github.com/cyphar/filepath-securejoin"
+
 	"github.com/hashicorp/go-retryablehttp"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -52,7 +53,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 	"sigs.k8s.io/controller-runtime/pkg/source"
-	"sigs.k8s.io/kustomize/kyaml/filesys"
 
 	apiacl "github.com/fluxcd/pkg/apis/acl"
 	"github.com/fluxcd/pkg/apis/meta"
@@ -357,7 +357,7 @@ func (r *KustomizationReconciler) reconcile(
 	}
 
 	// generate kustomization.yaml if needed
-	err = r.generate(kustomization, dirPath)
+	err = r.generate(kustomization, tmpDir, dirPath)
 	if err != nil {
 		return kustomizev1.KustomizationNotReady(
 			kustomization,
@@ -629,8 +629,8 @@ func (r *KustomizationReconciler) getSource(ctx context.Context, kustomization k
 	return source, nil
 }
 
-func (r *KustomizationReconciler) generate(kustomization kustomizev1.Kustomization, dirPath string) error {
-	gen := NewGenerator(kustomization)
+func (r *KustomizationReconciler) generate(kustomization kustomizev1.Kustomization, workDir string, dirPath string) error {
+	gen := NewGenerator(workDir, kustomization)
 	return gen.WriteFile(dirPath)
 }
 
@@ -641,19 +641,17 @@ func (r *KustomizationReconciler) build(ctx context.Context, workDir string, kus
 	}
 	defer cleanup()
 
-	// import OpenPGP keys if any
+	// Import decryption keys
 	if err := dec.ImportKeys(ctx); err != nil {
 		return nil, err
 	}
 
-	fs := filesys.MakeFsOnDisk()
-	// decrypt .env files before building kustomization
-	if kustomization.Spec.Decryption != nil {
-		if err = dec.DecryptEnvSources(dirPath); err != nil {
-			return nil, fmt.Errorf("error decrypting .env file: %w", err)
-		}
+	// Decrypt Kustomize EnvSources files before build
+	if err = dec.DecryptEnvSources(dirPath); err != nil {
+		return nil, fmt.Errorf("error decrypting .env file: %w", err)
 	}
-	m, err := buildKustomization(fs, dirPath)
+
+	m, err := secureBuildKustomization(workDir, dirPath)
 	if err != nil {
 		return nil, fmt.Errorf("kustomize build failed: %w", err)
 	}

diff --git a/controllers/kustomization_decryptor.go b/controllers/kustomization_decryptor.go
@@ -358,7 +358,7 @@ func (d *KustomizeDecryptor) DecryptResource(res *resource.Resource) (*resource.
 // outside the working directory of the decryptor, but returns any decryption
 // error.
 func (d *KustomizeDecryptor) DecryptEnvSources(path string) error {
-	if d.kustomization.Spec.Decryption.Provider != DecryptionProviderSOPS {
+	if d.kustomization.Spec.Decryption == nil || d.kustomization.Spec.Decryption.Provider != DecryptionProviderSOPS {
 		return nil
 	}
 

diff --git a/controllers/kustomization_generator.go b/controllers/kustomization_generator.go
@@ -29,19 +29,22 @@ import (
 	"sigs.k8s.io/kustomize/api/provider"
 	"sigs.k8s.io/kustomize/api/resmap"
 	kustypes "sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/filesys"
 	"sigs.k8s.io/yaml"
 
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 	"github.com/fluxcd/pkg/apis/kustomize"
+	securefs "github.com/fluxcd/pkg/kustomize/filesys"
+
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta2"
 )
 
 type KustomizeGenerator struct {
+	root          string
 	kustomization kustomizev1.Kustomization
 }
 
-func NewGenerator(kustomization kustomizev1.Kustomization) *KustomizeGenerator {
+func NewGenerator(root string, kustomization kustomizev1.Kustomization) *KustomizeGenerator {
 	return &KustomizeGenerator{
+		root:          root,
 		kustomization: kustomization,
 	}
 }
@@ -127,7 +130,10 @@ func checkKustomizeImageExists(images []kustypes.Image, imageName string) (bool,
 }
 
 func (kg *KustomizeGenerator) generateKustomization(dirPath string) error {
-	fs := filesys.MakeFsOnDisk()
+	fs, err := securefs.MakeFsOnDiskSecure(kg.root)
+	if err != nil {
+		return err
+	}
 
 	// Determine if there already is a Kustomization file at the root,
 	// as this means we do not have to generate one.
@@ -234,11 +240,19 @@ func adaptSelector(selector *kustomize.Selector) (output *kustypes.Selector) {
 // TODO: remove mutex when kustomize fixes the concurrent map read/write panic
 var kustomizeBuildMutex sync.Mutex
 
-// buildKustomization wraps krusty.MakeKustomizer with the following settings:
-// - load files from outside the kustomization.yaml root
-// - disable plugins except for the builtin ones
-func buildKustomization(fs filesys.FileSystem, dirPath string) (resmap.ResMap, error) {
-	// temporary workaround for concurrent map read and map write bug
+// secureBuildKustomization wraps krusty.MakeKustomizer with the following settings:
+//  - secure on-disk FS denying operations outside root
+//  - load files from outside the kustomization dir path
+//    (but not outside root)
+//  - disable plugins except for the builtin ones
+func secureBuildKustomization(root, dirPath string) (resmap.ResMap, error) {
+	// Create secure FS for root
+	fs, err := securefs.MakeFsOnDiskSecure(root)
+	if err != nil {
+		return nil, err
+	}
+
+	// Temporary workaround for concurrent map read and map write bug
 	// https://github.com/kubernetes-sigs/kustomize/issues/3659
 	kustomizeBuildMutex.Lock()
 	defer kustomizeBuildMutex.Unlock()

diff --git a/go.mod b/go.mod
@@ -16,6 +16,7 @@ require (
 	github.com/fluxcd/pkg/apis/acl v0.0.3
 	github.com/fluxcd/pkg/apis/kustomize v0.3.2
 	github.com/fluxcd/pkg/apis/meta v0.12.1
+	github.com/fluxcd/pkg/kustomize v0.2.0
 	github.com/fluxcd/pkg/runtime v0.13.3
 	github.com/fluxcd/pkg/ssa v0.15.1
 	github.com/fluxcd/pkg/testserver v0.2.0
@@ -29,12 +30,12 @@ require (
 	go.mozilla.org/sops/v3 v3.7.2
 	golang.org/x/net v0.0.0-20220225172249-27dd8689420f
 	google.golang.org/grpc v1.45.0
-	k8s.io/api v0.23.4
-	k8s.io/apiextensions-apiserver v0.23.4
-	k8s.io/apimachinery v0.23.4
-	k8s.io/client-go v0.23.4
+	k8s.io/api v0.23.5
+	k8s.io/apiextensions-apiserver v0.23.5
+	k8s.io/apimachinery v0.23.5
+	k8s.io/client-go v0.23.5
 	sigs.k8s.io/cli-utils v0.29.3
-	sigs.k8s.io/controller-runtime v0.11.1
+	sigs.k8s.io/controller-runtime v0.11.2
 	sigs.k8s.io/kustomize/api v0.11.4
 	sigs.k8s.io/kustomize/kyaml v0.13.6
 	sigs.k8s.io/yaml v1.3.0
@@ -199,7 +200,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/cli-runtime v0.23.2 // indirect
-	k8s.io/component-base v0.23.4 // indirect
+	k8s.io/component-base v0.23.5 // indirect
 	k8s.io/klog/v2 v2.50.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
 	k8s.io/kubectl v0.23.2 // indirect