search

open-cluster-management-io / policy-generator-plugin

A Kustomize generator plugin to generate Open Cluster Management policies
Apache License 2.0
29 stars 31 forks source link

Feature Request: Allow manifest paths outside of current directory #129

Closed strangiato closed 6 months ago

strangiato commented 1 year ago

In the policygenerator-reference it states that the Manifests path cannot be in a directory outside of the directory with the kustomization.yaml file in it.

It would be great to be able to reference another kustomize folder in a different location in the repo.

   manifests:
      # Required. Path to a single file or a flat directory of files relative to the kustomization.yaml file. This path
      # cannot be in a directory outside of the directory with the kustomization.yaml file. Subdirectories within the
      # directory of the kustomization.yaml file are allowed. Kustomization subdirectories are also supported and will
      # not process any YAML files in the subdirectory if a kustomization.yaml file is found.

Ideally I would like to be able to organize my folder structure something like this where the manifests are at the same level as the policy overlays:

components/policies
└──  my-policy
    ├── manifests
    │   ├── base
    │   └── overlays
    │       └── default
    └── policy
        ├── base
        └── overlays
            └── default
mprahl commented 1 year ago

@strangiato, the reason we forbid escaping the directory is that we embed the Policy Generator in GitOps tools such as (ArgoCD, ACM Application Subscription) and we don't want an attacker to be able to generate policies using sensitive YAML files in the container.

I think a workaround is to have the manifest path point to a kustomization.yaml which can reference other kustomize directories outside of the current path.

dhaiducek commented 6 months ago

Closing as there has been no updates. Feel free to reopen if this issue is still relevant.

kenmoini commented 4 months ago

So question - using the PolicyGenerator plugin with Kustomize and Helm...typically Kustomize also has this security feature of not being able to reference files in parent paths but you can disable that with --load-restrictor LoadRestrictionsNone

There's an environmental variable POLICY_GEN_ENABLE_HELM=true that can enable Helm usage with PolicyGenerators...what are y'alls thoughts around having another env var like POLICY_GEN_DISABLE_LOAD_RESTRICTORS=true to enable having helm charts in a parent path?

mprahl commented 4 months ago

So question - using the PolicyGenerator plugin with Kustomize and Helm...typically Kustomize also has this security feature of not being able to reference files in parent paths but you can disable that with --load-restrictor LoadRestrictionsNone

There's an environmental variable POLICY_GEN_ENABLE_HELM=true that can enable Helm usage with PolicyGenerators...what are y'alls thoughts around having another env var like POLICY_GEN_DISABLE_LOAD_RESTRICTORS=true to enable having helm charts in a parent path?

@kenmoini I have no problem with that. Alternatively, we could consider an option allowing relative paths outside the Kustomize directory until the root of the Git repo is reached. That might not be flexible enough but it could be a nice convenience for accessing files within a repo when leveraging the Policy Generator with a GitOps tool.