Whether the output directory of the kubectl-edit-xxx.yaml file is configurable

[kangzhiqin]

What would you like to be added?

When kubectl edits resources, a kubectl-edit-xxx.yaml file is generated in the /tmp directory. Can this file be generated in other directories or can it be configured? In actual applications, the /tmp directory has security risks.

The code is probably in this location: https://github.com/kubernetes/kubernetes/blob/8dc49c4b984b897d423aab4971090e1879eb4f23/staging/src/k8s.io/kubectl/pkg/cmd/util/editor/editoptions.go#L299-L309

Why is this needed?

The /tmp directory has security risks. It is recommended that logs be stored in other directories or be configurable.

k8s version is 1.28.1

[k8s-ci-robot]

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[neolit123]

/sig cli

[neolit123]

/sig security

[BenTheElder]

When kubectl edits resources, a kubectl-edit-xxx.yaml file is generated in the /tmp directory. Can this file be generated in other directories or can it be configured?

https://github.com/kubernetes/kubernetes/blob/baf11b01c5420aeb5b1f7d9b91eb76a2110b98f9/staging/src/k8s.io/kubectl/pkg/cmd/util/editor/editor.go#L97C15-L97C25

https://pkg.go.dev/os#CreateTemp which follows https://pkg.go.dev/os#TempDir

You can influence it by setting TMPDIR environment variable

In actual applications, the /tmp directory has security risks.

The /tmp directory has security risks. It is recommended that logs be stored in other directories or be configurable.

This isn't a log file, and anywhere we create a file there's roughly the same issues with access control and other processes.

What do you propose instead?

[kangzhiqin]

When kubectl edits resources, a kubectl-edit-xxx.yaml file is generated in the /tmp directory. Can this file be generated in other directories or can it be configured?

https://github.com/kubernetes/kubernetes/blob/baf11b01c5420aeb5b1f7d9b91eb76a2110b98f9/staging/src/k8s.io/kubectl/pkg/cmd/util/editor/editor.go#L97C15-L97C25

https://pkg.go.dev/os#CreateTemp which follows https://pkg.go.dev/os#TempDir

You can influence it by setting TMPDIR environment variable

In actual applications, the /tmp directory has security risks.

The /tmp directory has security risks. It is recommended that logs be stored in other directories or be configurable.

This isn't a log file, and anywhere we create a file there's roughly the same issues with access control and other processes.

What do you propose instead?

Thank you for your reply. Can you add a configuration parameter to specify the output directory and consider the file aging?