kustomize "security; file is not in or below" load restriction in CI
By default kustomize refuses to load files outside the directory tree of the kustomization root, as a security measure. Referencing an absolute path or a file above the root triggers "security; file is not in or below". You can relax it with --load-restrictor LoadRestrictionsNone.
What this error means
kustomize build fails with "security; file \"/repo/shared/config.yaml\" is not in or below \"/repo/overlays/prod\"" when a resource or file reference points outside the root.
Error: accumulating resources: accumulation err='accumulating resources from
'/repo/shared/config.yaml': security; file '/repo/shared/config.yaml' is not in
or below '/repo/overlays/prod''Common causes
An absolute path or a path above the root
A resources or generator file uses an absolute path, or reaches above the kustomization root, which the default restrictor forbids.
A shared file kept outside the overlay tree
A config shared across overlays lives in a sibling directory not under the build root, tripping the restriction.
How to fix it
Relax the load restrictor when the path is intended
Pass LoadRestrictionsNone when you deliberately reference files outside the root; use the matching kubectl flag for apply -k.
kustomize build --load-restrictor LoadRestrictionsNone overlays/prod
# or with kubectl
kubectl apply -k overlays/prod --load-restrictor=LoadRestrictionsNoneMove the file under the root instead
Keep referenced files within the kustomization tree so the default restriction is satisfied without a flag.
# copy or symlink shared config into the overlay tree
resources:
- config.yamlHow to prevent it
- Keep referenced files inside the kustomization root by default.
- Reserve LoadRestrictionsNone for deliberate cross-tree references.
- Use relative paths, never absolute, in resources and generators.