Closed strangiato closed 6 months ago
@strangiato, the reason we forbid escaping the directory is that we embed the Policy Generator in GitOps tools such as (ArgoCD, ACM Application Subscription) and we don't want an attacker to be able to generate policies using sensitive YAML files in the container.
I think a workaround is to have the manifest path point to a kustomization.yaml which can reference other kustomize directories outside of the current path.
Closing as there has been no updates. Feel free to reopen if this issue is still relevant.
So question - using the PolicyGenerator plugin with Kustomize and Helm...typically Kustomize also has this security feature of not being able to reference files in parent paths but you can disable that with --load-restrictor LoadRestrictionsNone
There's an environmental variable POLICY_GEN_ENABLE_HELM=true
that can enable Helm usage with PolicyGenerators...what are y'alls thoughts around having another env var like POLICY_GEN_DISABLE_LOAD_RESTRICTORS=true
to enable having helm charts in a parent path?
So question - using the PolicyGenerator plugin with Kustomize and Helm...typically Kustomize also has this security feature of not being able to reference files in parent paths but you can disable that with
--load-restrictor LoadRestrictionsNone
There's an environmental variable
POLICY_GEN_ENABLE_HELM=true
that can enable Helm usage with PolicyGenerators...what are y'alls thoughts around having another env var likePOLICY_GEN_DISABLE_LOAD_RESTRICTORS=true
to enable having helm charts in a parent path?
@kenmoini I have no problem with that. Alternatively, we could consider an option allowing relative paths outside the Kustomize directory until the root of the Git repo is reached. That might not be flexible enough but it could be a nice convenience for accessing files within a repo when leveraging the Policy Generator with a GitOps tool.
In the policygenerator-reference it states that the Manifests path cannot be in a directory outside of the directory with the kustomization.yaml file in it.
It would be great to be able to reference another kustomize folder in a different location in the repo.
Ideally I would like to be able to organize my folder structure something like this where the manifests are at the same level as the policy overlays: