fix containerized function mounts issue

[natasha41575]

Fix #4290

Kustomize was not mounting files into containerized functions directly because the StorageMounts field was not being properly propagated to the function filter.

This PR allows users to use the StorageMounts fields, with the following requirements:

• mount paths cannot be absolute paths
• mount paths must be relative to the kustomization that refers to them
• mount paths must be under the kustomization directory that refers to them

As a side note, if we are going to be promoting functions in kustomize we should probably build up a strong test suite for containerized functions and run those tests in CI. All tests needing docker are currently being skipped.

/cc @yuwenma
/cc @KnVerey

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: natasha41575

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [natasha41575]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[yuwenma]

Some minor comments. Looks great!

[k8s-ci-robot]

@natasha41575: This PR has multiple commits, and the default merge method is: merge.
You can request commits to be squashed using the label: tide/merge-method-squash

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[KnVerey]

I poked around the history of the problem file, and it seems to me this never worked. Is that correct?

If so, if we were to release this PR, it would introduce a new security issue that (intended or not) we didn't have before.
Since container functions ARE enabled in kubectl, we should be very careful about this decision.

It looks like the feature was originally intended to have restrictions on the path, but that did not get implemented: #1902

volumes are relative to the Resource config
volumes must be in a directory under the config directory (no ../)

The way Plugin Graduation proposes to handle this is through Catalog, where the Catalog entry must specify allowed mounts. Inline config like what we're turning on here actually wouldn't be supported at all anymore:

If a containerized plugin needs network or disk access, its catalog entry MUST specify it. Redundant inline provider config cannot be used to grant it. When the catalog does specify it, no additional flags or config fields will be required to grant it the required access.

[natasha41575]

I poked around the history of the problem file, and it seems to me this never worked. Is that correct?

It seems that this is the case, and I agree that you're right, it probably isn't great to allow an unrestricted path to be mounted in the container.

However, this lack of mounts would block usage of the render-helm-chart KRM function for local charts and I don't think it would be practical to wait for the Plugin Graduation and Catalog to be completed before asking users to migrate from the builtin Helm plugin.

WDYT about restricting mounted paths to the same load restrictions as all other paths (i.e. it must be in the current kustomization directory)? If we do that, would that alleviate your concerns regarding security?

[KnVerey]

WDYT about restricting mounted paths to the same load restrictions as all other paths (i.e. it must be in the current kustomization directory)? If we do that, would that alleviate your concerns regarding security?

Yes, this would work for me.

[natasha41575]

@KnVerey awesome, PR is updated, with a check to ensure that the mounted paths are in the current directory. I added a test TestFnContainerMountsLoadRestrictions for this restriction as well.

[KnVerey]

As a side note, if we are going to be promoting functions in kustomize we should probably build up a strong test suite for containerized functions and run those tests in CI. All tests needing docker are currently being skipped.

As part of #4564 I noticed that it seems like some Docker-based tests do run in CI. But only the ones in cmd/config, only if they're gated with KUSTOMIZE_DOCKER_E2E specifically, and only on Linux: https://github.com/kubernetes-sigs/kustomize/blob/master/.github/workflows/go.yml#L61. Since we aren't running in verbose mode right now you can't see it in this PR's tests, but check out this test run from my PR: https://github.com/kubernetes-sigs/kustomize/runs/5826226816?check_suite_focus=true#step:4:846

[natasha41575]

Without this change, TestFnContainerEnvVars fails with the error couldn't execute function: root working directory '/' not allowed. ldr.Root() returns "/" when run at the root-level, i.e. whenever we do th.Run(".") in our tests. If we don't set the working dir here, then the function filter uses the current working directory, which I believe is correct behavior in the cases that hit this problem.

Alternatively I think we could rewrite TestFnContainerEnvVars so that it does th.Run("dir") or something, and then we won't have to have this change here.

[KnVerey]

Hmm, but isn't this just bypassing a real restriction we have in our function code? In other words, won't it really enable the root directory to be used as valid plugin load location, effectively allowing plugins from anywhere on the disk?

If we don't set the working dir here, then the function filter uses the current working directory, which I believe is correct behavior in the cases that hit this problem.

Can you explain more why you believe this is correct? My inclination would be that it's easier to understand what's happening if the behavior is always the same (kustomization root, not invocation dir).

Alternatively I think we could rewrite TestFnContainerEnvVars so that it does th.Run("dir") or something, and then we won't have to have this change here.

Is it true that the tests in question are always using a virtual filesystem, and that's why it's not bad for the Kustomization dir to be the root? If so, that change will make the tests more realistic, right?

[natasha41575]

🤦‍♀️ you're right on all points. I think my brain was in another location when I wrote this part, for some reason I was thinking of the working directory as the kustomization root, which is obviously not the case and is the whole reason we are doing this anyways.

I will update the test.

[natasha41575]

Test updated! I had to change it to use a temporary directory in the real file system because it's shelling out to docker and needs the working directory to be a real one.

[natasha41575]

According to the logs, the docker tests are running in the linux job but not the mac one. Filed #4579

[KnVerey]

Why two values files? And do we actually need the whole chart for the purposes of the test?

[natasha41575]

Pared this down to a minimal example!

[KnVerey]

Why is this test exec'ing Kustomize instead of using the test framework? How do we know the binary that will be found corresponds to the version of the code we think we're testing?

[natasha41575]

Originally I was trying to copy the entire testdata/fnmounts directory into the temp directory where the test framework was running, which turned out to be a headache.

But with a pared down helm chart (per your other suggestion), this is much easier to do with the test framework. Updated!

[KnVerey]

/lgtm