flux build/diff: fs-security-constraint error

[Thaval]

Describe the bug

When running flux build ..., an error is shown that indicates security issue. For example:

flux build kustomization my-app --path ./corpsol --kustomization-file ./corpsol/kustomization.yaml

will display the following error

✗ kustomize build failed: fs-security-constraint abs ./corpsol: path './corpsol' is not in or below 'C:\'

The kustomization.yaml looks like this

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- ../../../../.common/helm_templates/flux_manifests/alert.yaml

Steps to reproduce

• Install Flux
• Run flux build kustomization my-app --path ./corpsol --kustomization-file ./corpsol/kustomization.yaml
• See the error - fs-security-constraint (no files are built)

Expected behavior

The kustomization should be built successfully, so that a preview is shown.

Screenshots and recordings

No response

OS / Distro

Windows 10

Flux version

v0.30.2

Flux check

flux check
► checking prerequisites
✔ Kubernetes 1.22.6 >=1.20.6-0
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v0.21.0
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v0.25.0
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v0.23.5
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v0.24.4
✔ all checks passed

Git provider

No response

Container Registry provider

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[souleb]

@Thaval can we get the root of ./corpsol?

[Thaval]

@souleb What do you mean: The files and contents or the absolute path of ./corpsol?

[hiddeco]

The absolute path of ./corpsol.

[Thaval]

@hiddeco @souleb The absolute path is C:\Users\dave\source\repos\infra\clusters\apps\domains\corpsol

[Thaval]

What's the current state?

[souleb]

Hello There. I felt behind, but I still plan to fix this.

[Thaval]

Alright, thanks! :) Could you reproduce this? Let me know if you need more information.

[4c74356b41]

getting the same error for flux diff:

✗ kustomize build failed: must build at directory: not a valid directory: fs-security-constraint abs C:\flux-fleet\clusters\prd: path 'C:\flux-fleet\clusters\prd' is not in or below 'C:\'

same error for any kustomizations (I only use flux ones, not kustomize ones)\path combo

[stefanprodan]

Fixing this on Windows is not going to be easy as none of the Flux maintainers use MSFT products. I suggest installing the Flux CLI on Windows Subsystem for Linux which has no issues.

[4c74356b41]

can you, perhaps, point me to the code that is throwing? I'm willing to try, however I'm not really good with go :(

[stefanprodan]

The error comes from our own filesystem implementation https://github.com/fluxcd/pkg/blob/main/kustomize/filesys/fs_secure.go

[4c74356b41]

thanks, i'll try looking at it, but at a glance it doesn't look like something I'll be able to figure out xD

[Thaval]

@stefanprodan Ok, understand this. Totally new to golang, but I only use Windows. However, is there a guide on how to kickstart flux development? Would like to know how to run the code and test changes.

Just a note for myself:
#2764

[souleb]

@Thaval can you try with this pull request: #3317?

[Thaval]

@Thaval can you try with this pull request: #3317?

Sure I can. But I need to figure out how to run the commands or better said, build and use the project.

[souleb]

⋊> ~ make build-dev                                                                                         10:14:28
⋊> ~ ./bin/flux diff kustomization ...

[4c74356b41]

this doesnt build a binary for windows? at least for me.

i think this works to build for windows: export GOOS=windows

[4c74356b41]

okay, with this build it is actually working! sweeeet.

.\flux.exe diff kustomization --path C:\_git\xxx\infrastructure\core\ cluster-base
✓  Kustomization diffing...
► Namespace/yyy drifted

metadata.labels
  + one map entry added:
    test: test

⚠️ identified at least one change, exiting with non-zero exit code