search

kubernetes / kubectl

Issue tracker and mirror of kubectl code
Apache License 2.0
2.75k stars 894 forks source link

Symlink support for kubectl apply --recursive=true #1603

Closed cospeedster closed 4 weeks ago

cospeedster commented 1 month ago

What would you like to be added:

Symlink support for kubectl apply --filename=. --recursive=true

.
├── all
│   └── policies.yaml
├── dev
│   └── manifests
│       ├── all-manifests -> ../../all/
│       └── example-manifest.yaml
├── prod
│   └── manifests
│       ├── all-manifests -> ../../all/
│       └── example-manifest.yaml
└── stage
    └── manifests
        ├── all-manifests -> ../../all/
        └── example-manifest.yaml

Why is this needed:

Sometimes we organize manifests per environment in different directories. But some manifests are equal in each environment. for this we have an all directory with manifests which have to be applied for all environments like policies.

k8s-ci-robot commented 1 month ago

This issue is currently awaiting triage.

SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
ardaguclu commented 1 month ago

In my opinion, this would negatively impact the security. Bad actors would define symlinks of various unlisted yaml definitions and blindly applying these resources seems to be not preferable.

cospeedster commented 1 month ago

Unfortunately, this sounds like a valid point.

Maybe we could think about an cli option to accept this behavior explicitly? I don't know if that's a good idea.

brianpursley commented 1 month ago

I agree that it could be a security concern, and I think I recall that kubectl resolving symlinks has been avoided in the past.

As a workaround, could you copy the files you want to apply, expanding symlinks, something like this?

cp -rL . /tmp/staging
kubectl apply -f /tmp/staging --recursive
rm -r /tmp/staging
cospeedster commented 1 month ago

Yes, there is definitely a workaround. There is almost always one. That just makes our deployments a little more complex.

I can live with that, but I still wanted to put the topic up for discussion here.

ardaguclu commented 4 weeks ago

Thanks for bringing this topic. I'd like to close this issue, if you don't mind; /close

k8s-ci-robot commented 4 weeks ago

@ardaguclu: Closing this issue.

In response to [this](https://github.com/kubernetes/kubectl/issues/1603#issuecomment-2149223891): >Thanks for bringing this topic. I'd like to close this issue, if you don't mind; >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.