From e52bab4ddcd1e96093e12f25ac3d214de9d66d17 Mon Sep 17 00:00:00 2001
From: Natasha Sarkar <natashasarkar@google.com>
Date: Tue, 17 Aug 2021 16:57:42 -0700
Subject: [PATCH 1/5] exec function working dir is the kustomization that
 referenced it

---
 api/internal/target/kusttarget.go |   8 +-
 api/krusty/fnplugin_test.go       | 125 ++++++++++++++++++++++++++++++
 api/resmap/resmap.go              |   4 +
 api/resmap/reswrangler.go         |  13 ++++
 kyaml/fn/runtime/exec/exec.go     |  13 ++++
 kyaml/runfn/runfn.go              |  14 +++-
 6 files changed, 175 insertions(+), 2 deletions(-)

diff --git a/api/internal/target/kusttarget.go b/api/internal/target/kusttarget.go
index 18a38f3c48..046ed27a17 100644
--- a/api/internal/target/kusttarget.go
+++ b/api/internal/target/kusttarget.go
@@ -21,6 +21,7 @@ import (
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
 	"sigs.k8s.io/kustomize/kyaml/openapi"
 	"sigs.k8s.io/yaml"
 )
@@ -262,7 +263,12 @@ func (kt *KustTarget) configureExternalGenerators() ([]resmap.Generator, error)
 	if err != nil {
 		return nil, err
 	}
-	return kt.pLdr.LoadGenerators(kt.ldr, kt.validator, ra.ResMap())
+	m := ra.ResMap()
+	err = m.AnnotateAll(kioutil.PathAnnotation, kt.ldr.Root())
+	if err != nil {
+		return nil, err
+	}
+	return kt.pLdr.LoadGenerators(kt.ldr, kt.validator, m)
 }
 
 func (kt *KustTarget) runTransformers(ra *accumulator.ResAccumulator) error {
diff --git a/api/krusty/fnplugin_test.go b/api/krusty/fnplugin_test.go
index eca491056b..554b5637f9 100644
--- a/api/krusty/fnplugin_test.go
+++ b/api/krusty/fnplugin_test.go
@@ -1,10 +1,16 @@
 package krusty_test
 
 import (
+	"os"
 	"os/exec"
+	"path/filepath"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/kustomize/api/internal/utils"
+	"sigs.k8s.io/kustomize/api/krusty"
 	kusttest_test "sigs.k8s.io/kustomize/api/testutils/kusttest"
+	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
 func TestFnExecGenerator(t *testing.T) {
@@ -82,6 +88,125 @@ spec:
 `)
 }
 
+func TestFnExecGeneratorWithOverlay(t *testing.T) {
+	fSys := filesys.MakeFsOnDisk()
+	th := kusttest_test.MakeHarness(t)
+	o := th.MakeOptionsPluginsEnabled()
+	o.PluginConfig.FnpLoadingOptions.EnableExec = true
+	b := krusty.MakeKustomizer(&o)
+
+	tmpDir, err := filesys.NewTmpConfirmedDir()
+	assert.NoError(t, err)
+	base := filepath.Join(tmpDir.String(), "base")
+	prod := filepath.Join(tmpDir.String(), "prod")
+	assert.NoError(t, fSys.Mkdir(base))
+	assert.NoError(t, fSys.Mkdir(prod))
+	assert.NoError(t, fSys.WriteFile(filepath.Join(base, "kustomization.yaml"), []byte(`
+resources:
+- short_secret.yaml
+generators:
+- gener.yaml
+`)))
+	assert.NoError(t, fSys.WriteFile(filepath.Join(prod, "kustomization.yaml"), []byte(`
+resources:
+- ../base
+`)))
+	assert.NoError(t, fSys.WriteFile(filepath.Join(base, "short_secret.yaml"), []byte(`
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    airshipit.org/ephemeral-user-data: "true"
+  name: node1-bmc-secret
+type: Opaque
+stringData:
+  userData: |
+    bootcmd:
+    - mkdir /mnt/vda
+`)))
+	assert.NoError(t, fSys.WriteFile(filepath.Join(base, "exec.sh"), []byte(`#!/bin/sh
+
+cat <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  labels:
+    app: nginx
+  annotations:
+    tshirt-size: small # this injects the resource reservations
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+EOF
+`)))
+	assert.NoError(t, os.Chmod(filepath.Join(base, "exec.sh"), 0777))
+	assert.NoError(t, fSys.WriteFile(filepath.Join(base, "gener.yaml"), []byte(`
+kind: executable
+metadata:
+  name: demo
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ./exec.sh
+spec:
+`)))
+
+	m, err := b.Run(
+		fSys,
+		prod)
+	if utils.IsErrTimeout(err) {
+		// Don't fail on timeouts.
+		t.SkipNow()
+	}
+	assert.NoError(t, err)
+	yml, err := m.AsYaml()
+	assert.NoError(t, err)
+	assert.Equal(t, `apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    airshipit.org/ephemeral-user-data: "true"
+  name: node1-bmc-secret
+stringData:
+  userData: |
+    bootcmd:
+    - mkdir /mnt/vda
+type: Opaque
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    tshirt-size: small
+  labels:
+    app: nginx
+  name: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - image: nginx
+        name: nginx
+`, string(yml))
+	assert.NoError(t, fSys.RemoveAll(tmpDir.String()))
+}
+
 func skipIfNoDocker(t *testing.T) {
 	if _, err := exec.LookPath("docker"); err != nil {
 		t.Skip("skipping because docker binary wasn't found in PATH")
diff --git a/api/resmap/resmap.go b/api/resmap/resmap.go
index 7c0c2ea802..b6b5118bda 100644
--- a/api/resmap/resmap.go
+++ b/api/resmap/resmap.go
@@ -123,6 +123,10 @@ type ResMap interface {
 	// failing on any CurId collision.
 	AppendAll(ResMap) error
 
+	// AnnotateAll annotates all resources in the ResMap with
+	// the provided key value pair.
+	AnnotateAll(key string, value string) error
+
 	// AbsorbAll appends, replaces or merges the contents
 	// of another ResMap into self,
 	// allowing and sometimes demanding ID collisions.
diff --git a/api/resmap/reswrangler.go b/api/resmap/reswrangler.go
index 5bdc5c585e..2c25c65a61 100644
--- a/api/resmap/reswrangler.go
+++ b/api/resmap/reswrangler.go
@@ -88,6 +88,19 @@ func (m *resWrangler) append(res *resource.Resource) {
 	m.rList = append(m.rList, res)
 }
 
+// AnnotateAll implements ResMap
+func (m *resWrangler) AnnotateAll(key string, value string) error {
+	return m.ApplyFilter(annotations.Filter{
+		Annotations: map[string]string{
+			key: value,
+		},
+		FsSlice: []types.FieldSpec{{
+			Path:               "metadata/annotations",
+			CreateIfNotPresent: true,
+		}},
+	})
+}
+
 // Remove implements ResMap.
 func (m *resWrangler) Remove(adios resid.ResId) error {
 	var rList []*resource.Resource
diff --git a/kyaml/fn/runtime/exec/exec.go b/kyaml/fn/runtime/exec/exec.go
index 3346bc998f..fcd53d1512 100644
--- a/kyaml/fn/runtime/exec/exec.go
+++ b/kyaml/fn/runtime/exec/exec.go
@@ -19,6 +19,10 @@ type Filter struct {
 	// Args are the arguments to the executable
 	Args []string `yaml:"args,omitempty"`
 
+	// WorkingDir is the working directory that the executable
+	// should run in
+	WorkingDir string
+
 	runtimeutil.FunctionFilter
 }
 
@@ -28,6 +32,15 @@ func (c *Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 }
 
 func (c *Filter) Run(reader io.Reader, writer io.Writer) error {
+	if c.WorkingDir != "" {
+		p, err := os.Getwd()
+		if err != nil {
+			return err
+		}
+		os.Chdir(c.WorkingDir)
+		defer os.Chdir(p)
+	}
+
 	cmd := exec.Command(c.Path, c.Args...)
 	cmd.Stdin = reader
 	cmd.Stdout = writer
diff --git a/kyaml/runfn/runfn.go b/kyaml/runfn/runfn.go
index bfe1ac3f2f..d3dd071d20 100644
--- a/kyaml/runfn/runfn.go
+++ b/kyaml/runfn/runfn.go
@@ -507,7 +507,19 @@ func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode, currentUser
 	}
 
 	if r.EnableExec && spec.Exec.Path != "" {
-		ef := &exec.Filter{Path: spec.Exec.Path}
+		currentDir, err := os.Getwd()
+		if err != nil {
+			return nil, err
+		}
+
+		wd, _, err := kioutil.GetFileAnnotations(api)
+		if err != nil || wd == "" || wd == "/" {
+			wd = currentDir
+		}
+		ef := &exec.Filter{
+			Path: spec.Exec.Path,
+			WorkingDir: wd,
+		}
 
 		ef.FunctionConfig = api
 		ef.GlobalScope = r.GlobalScope

From 246c54a18b0cd4a6910fb75b18916c8c5244c757 Mon Sep 17 00:00:00 2001
From: Natasha Sarkar <natashasarkar@google.com>
Date: Wed, 18 Aug 2021 13:47:43 -0700
Subject: [PATCH 2/5] suggested changes

---
 api/internal/target/kusttarget.go      |  11 ++-
 api/krusty/fnplugin_test.go            | 118 +++++++++++++------------
 api/krusty/fnplugin_test/fnexectest.sh |  24 -----
 api/resmap/resmap.go                   |   4 -
 api/resmap/reswrangler.go              |  13 ---
 kyaml/fn/runtime/exec/exec.go          |  12 +--
 kyaml/kio/kioutil/kioutil.go           |   4 +
 kyaml/runfn/runfn.go                   |  28 ++++--
 8 files changed, 100 insertions(+), 114 deletions(-)
 delete mode 100755 api/krusty/fnplugin_test/fnexectest.sh

diff --git a/api/internal/target/kusttarget.go b/api/internal/target/kusttarget.go
index 046ed27a17..f601b42530 100644
--- a/api/internal/target/kusttarget.go
+++ b/api/internal/target/kusttarget.go
@@ -264,7 +264,7 @@ func (kt *KustTarget) configureExternalGenerators() ([]resmap.Generator, error)
 		return nil, err
 	}
 	m := ra.ResMap()
-	err = m.AnnotateAll(kioutil.PathAnnotation, kt.ldr.Root())
+	err = m.AnnotateAll(kioutil.WorkingDirAnnotation, kt.ldr.Root())
 	if err != nil {
 		return nil, err
 	}
@@ -300,12 +300,17 @@ func (kt *KustTarget) configureExternalTransformers(transformers []string) ([]re
 		}
 		ra.AppendAll(rm)
 	}
-	ra, err := kt.accumulateResources(ra, transformerPaths, &resource.Origin{})
 
+	ra, err := kt.accumulateResources(ra, transformerPaths, &resource.Origin{})
+	if err != nil {
+		return nil, err
+	}
+	m := ra.ResMap()
+	err = m.AnnotateAll(kioutil.WorkingDirAnnotation, kt.ldr.Root())
 	if err != nil {
 		return nil, err
 	}
-	return kt.pLdr.LoadTransformers(kt.ldr, kt.validator, ra.ResMap())
+	return kt.pLdr.LoadTransformers(kt.ldr, kt.validator, m)
 }
 
 func (kt *KustTarget) runValidators(ra *accumulator.ResAccumulator) error {
diff --git a/api/krusty/fnplugin_test.go b/api/krusty/fnplugin_test.go
index 554b5637f9..d4d7057ccf 100644
--- a/api/krusty/fnplugin_test.go
+++ b/api/krusty/fnplugin_test.go
@@ -7,17 +7,46 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"sigs.k8s.io/kustomize/api/internal/utils"
-	"sigs.k8s.io/kustomize/api/krusty"
 	kusttest_test "sigs.k8s.io/kustomize/api/testutils/kusttest"
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
+const execFile = `#!/bin/sh
+
+cat <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  labels:
+    app: nginx
+  annotations:
+    tshirt-size: small # this injects the resource reservations
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx
+EOF
+`
+
 func TestFnExecGenerator(t *testing.T) {
-	// Function plugins should not need the env setup done by MakeEnhancedHarness
-	th := kusttest_test.MakeHarness(t)
+	fSys := filesys.MakeFsOnDisk()
 
-	th.WriteK(".", `
+	th := kusttest_test.MakeHarnessWithFs(t, fSys)
+	o := th.MakeOptionsPluginsEnabled()
+	o.PluginConfig.FnpLoadingOptions.EnableExec = true
+
+	tmpDir, err := filesys.NewTmpConfirmedDir()
+	assert.NoError(t, err)
+	th.WriteK(tmpDir.String(), `
 resources:
 - short_secret.yaml
 generators:
@@ -25,7 +54,8 @@ generators:
 `)
 
 	// Create some additional resource just to make sure everything is added
-	th.WriteF("short_secret.yaml", `
+	th.WriteF(filepath.Join(tmpDir.String(), "short_secret.yaml"),
+		`
 apiVersion: v1
 kind: Secret
 metadata:
@@ -38,22 +68,25 @@ stringData:
     bootcmd:
     - mkdir /mnt/vda
 `)
+	th.WriteF(filepath.Join(tmpDir.String(), "exec.sh"), execFile)
 
-	th.WriteF("gener.yaml", `
+	assert.NoError(t, os.Chmod(filepath.Join(tmpDir.String(), "exec.sh"), 0777))
+	th.WriteF(filepath.Join(tmpDir.String(), "gener.yaml"), `
 kind: executable
 metadata:
   name: demo
   annotations:
     config.kubernetes.io/function: |
       exec:
-        path: ./fnplugin_test/fnexectest.sh
+        path: ./exec.sh
 spec:
 `)
-	o := th.MakeOptionsPluginsEnabled()
-	o.PluginConfig.FnpLoadingOptions.EnableExec = true
-	m := th.Run(".", o)
-	th.AssertActualEqualsExpected(m, `
-apiVersion: v1
+
+	m := th.Run(tmpDir.String(), o)
+	assert.NoError(t, err)
+	yml, err := m.AsYaml()
+	assert.NoError(t, err)
+	assert.Equal(t, `apiVersion: v1
 kind: Secret
 metadata:
   labels:
@@ -85,15 +118,16 @@ spec:
       containers:
       - image: nginx
         name: nginx
-`)
+`, string(yml))
+	assert.NoError(t, fSys.RemoveAll(tmpDir.String()))
 }
 
 func TestFnExecGeneratorWithOverlay(t *testing.T) {
 	fSys := filesys.MakeFsOnDisk()
-	th := kusttest_test.MakeHarness(t)
+
+	th := kusttest_test.MakeHarnessWithFs(t, fSys)
 	o := th.MakeOptionsPluginsEnabled()
 	o.PluginConfig.FnpLoadingOptions.EnableExec = true
-	b := krusty.MakeKustomizer(&o)
 
 	tmpDir, err := filesys.NewTmpConfirmedDir()
 	assert.NoError(t, err)
@@ -101,17 +135,18 @@ func TestFnExecGeneratorWithOverlay(t *testing.T) {
 	prod := filepath.Join(tmpDir.String(), "prod")
 	assert.NoError(t, fSys.Mkdir(base))
 	assert.NoError(t, fSys.Mkdir(prod))
-	assert.NoError(t, fSys.WriteFile(filepath.Join(base, "kustomization.yaml"), []byte(`
+	th.WriteK(base, `
 resources:
 - short_secret.yaml
 generators:
 - gener.yaml
-`)))
-	assert.NoError(t, fSys.WriteFile(filepath.Join(prod, "kustomization.yaml"), []byte(`
+`)
+	th.WriteK(prod, `
 resources:
 - ../base
-`)))
-	assert.NoError(t, fSys.WriteFile(filepath.Join(base, "short_secret.yaml"), []byte(`
+`)
+	th.WriteF(filepath.Join(base, "short_secret.yaml"),
+		`
 apiVersion: v1
 kind: Secret
 metadata:
@@ -123,34 +158,11 @@ stringData:
   userData: |
     bootcmd:
     - mkdir /mnt/vda
-`)))
-	assert.NoError(t, fSys.WriteFile(filepath.Join(base, "exec.sh"), []byte(`#!/bin/sh
+`)
+	th.WriteF(filepath.Join(base, "exec.sh"), execFile)
 
-cat <<EOF
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx
-  labels:
-    app: nginx
-  annotations:
-    tshirt-size: small # this injects the resource reservations
-spec:
-  selector:
-    matchLabels:
-      app: nginx
-  template:
-    metadata:
-      labels:
-        app: nginx
-    spec:
-      containers:
-      - name: nginx
-        image: nginx
-EOF
-`)))
 	assert.NoError(t, os.Chmod(filepath.Join(base, "exec.sh"), 0777))
-	assert.NoError(t, fSys.WriteFile(filepath.Join(base, "gener.yaml"), []byte(`
+	th.WriteF(filepath.Join(base, "gener.yaml"), `
 kind: executable
 metadata:
   name: demo
@@ -159,15 +171,9 @@ metadata:
       exec:
         path: ./exec.sh
 spec:
-`)))
-
-	m, err := b.Run(
-		fSys,
-		prod)
-	if utils.IsErrTimeout(err) {
-		// Don't fail on timeouts.
-		t.SkipNow()
-	}
+`)
+
+	m := th.Run(prod, o)
 	assert.NoError(t, err)
 	yml, err := m.AsYaml()
 	assert.NoError(t, err)
diff --git a/api/krusty/fnplugin_test/fnexectest.sh b/api/krusty/fnplugin_test/fnexectest.sh
deleted file mode 100755
index d8e7c9eabb..0000000000
--- a/api/krusty/fnplugin_test/fnexectest.sh
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/sh
-
-cat <<EOF
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: nginx
-  labels:
-    app: nginx
-  annotations:
-    tshirt-size: small # this injects the resource reservations
-spec:
-  selector:
-    matchLabels:
-      app: nginx
-  template:
-    metadata:
-      labels:
-        app: nginx
-    spec:
-      containers:
-      - name: nginx
-        image: nginx
-EOF
diff --git a/api/resmap/resmap.go b/api/resmap/resmap.go
index b6b5118bda..7c0c2ea802 100644
--- a/api/resmap/resmap.go
+++ b/api/resmap/resmap.go
@@ -123,10 +123,6 @@ type ResMap interface {
 	// failing on any CurId collision.
 	AppendAll(ResMap) error
 
-	// AnnotateAll annotates all resources in the ResMap with
-	// the provided key value pair.
-	AnnotateAll(key string, value string) error
-
 	// AbsorbAll appends, replaces or merges the contents
 	// of another ResMap into self,
 	// allowing and sometimes demanding ID collisions.
diff --git a/api/resmap/reswrangler.go b/api/resmap/reswrangler.go
index 2c25c65a61..391d11f523 100644
--- a/api/resmap/reswrangler.go
+++ b/api/resmap/reswrangler.go
@@ -545,19 +545,6 @@ func (m *resWrangler) appendReplaceOrMerge(res *resource.Resource) error {
 	}
 }
 
-// AnnotateAll implements ResMap
-func (m *resWrangler) AnnotateAll(key string, value string) error {
-	return m.ApplyFilter(annotations.Filter{
-		Annotations: map[string]string{
-			key: value,
-		},
-		FsSlice: []types.FieldSpec{{
-			Path:               "metadata/annotations",
-			CreateIfNotPresent: true,
-		}},
-	})
-}
-
 // Select returns a list of resources that
 // are selected by a Selector
 func (m *resWrangler) Select(s types.Selector) ([]*resource.Resource, error) {
diff --git a/kyaml/fn/runtime/exec/exec.go b/kyaml/fn/runtime/exec/exec.go
index fcd53d1512..7bab904c6a 100644
--- a/kyaml/fn/runtime/exec/exec.go
+++ b/kyaml/fn/runtime/exec/exec.go
@@ -32,18 +32,12 @@ func (c *Filter) Filter(nodes []*yaml.RNode) ([]*yaml.RNode, error) {
 }
 
 func (c *Filter) Run(reader io.Reader, writer io.Writer) error {
-	if c.WorkingDir != "" {
-		p, err := os.Getwd()
-		if err != nil {
-			return err
-		}
-		os.Chdir(c.WorkingDir)
-		defer os.Chdir(p)
-	}
-
 	cmd := exec.Command(c.Path, c.Args...)
 	cmd.Stdin = reader
 	cmd.Stdout = writer
 	cmd.Stderr = os.Stderr
+	if c.WorkingDir != "" {
+		cmd.Dir = c.WorkingDir
+	}
 	return cmd.Run()
 }
diff --git a/kyaml/kio/kioutil/kioutil.go b/kyaml/kio/kioutil/kioutil.go
index 993cdfd848..16155e4b26 100644
--- a/kyaml/kio/kioutil/kioutil.go
+++ b/kyaml/kio/kioutil/kioutil.go
@@ -25,6 +25,10 @@ const (
 
 	// SeqIndentAnnotation records the sequence nodes indentation of the input resource
 	SeqIndentAnnotation AnnotationKey = "internal.config.kubernetes.io/seqindent"
+
+	// WorkingDirAnnotation records the directory of the kustomization that
+	// refers to the resource
+	WorkingDirAnnotation AnnotationKey = "internal.config.kubernetes.io/working-dir"
 )
 
 func GetFileAnnotations(rn *yaml.RNode) (string, string, error) {
diff --git a/kyaml/runfn/runfn.go b/kyaml/runfn/runfn.go
index d3dd071d20..ca731490a0 100644
--- a/kyaml/runfn/runfn.go
+++ b/kyaml/runfn/runfn.go
@@ -507,15 +507,11 @@ func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode, currentUser
 	}
 
 	if r.EnableExec && spec.Exec.Path != "" {
-		currentDir, err := os.Getwd()
+		wd, err := getWorkingDirectory(api)
 		if err != nil {
 			return nil, err
 		}
 
-		wd, _, err := kioutil.GetFileAnnotations(api)
-		if err != nil || wd == "" || wd == "/" {
-			wd = currentDir
-		}
 		ef := &exec.Filter{
 			Path: spec.Exec.Path,
 			WorkingDir: wd,
@@ -530,3 +526,25 @@ func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode, currentUser
 
 	return nil, nil
 }
+
+func getWorkingDirectory(api *yaml.RNode) (string, error) {
+	annotations := api.GetAnnotations()
+	wd, ok := annotations[kioutil.WorkingDirAnnotation]
+	if !ok {
+		var err error
+		wd, err = os.Getwd()
+		if err != nil {
+			return "", err
+		}
+	} else {
+		if !filepath.IsAbs(wd) || !path.IsAbs(wd) {
+			return "", errors.Errorf(
+				"relative working directory %s not allowed", wd)
+		}
+		if wd == "/" {
+			return "", errors.Errorf(
+				"root working directory '/' not allowed")
+		}
+	}
+	return wd, nil
+}

From eb3493cfc1155898e915ff1f9f8004262974c1ce Mon Sep 17 00:00:00 2001
From: Natasha Sarkar <natashasarkar@google.com>
Date: Thu, 19 Aug 2021 13:08:33 -0700
Subject: [PATCH 3/5] more code review

---
 api/krusty/fnplugin_test.go | 14 +++++++-------
 api/resmap/reswrangler.go   | 26 +++++++++++++-------------
 kyaml/runfn/runfn.go        | 25 +++++++++++--------------
 3 files changed, 31 insertions(+), 34 deletions(-)

diff --git a/api/krusty/fnplugin_test.go b/api/krusty/fnplugin_test.go
index d4d7057ccf..88fa8dee84 100644
--- a/api/krusty/fnplugin_test.go
+++ b/api/krusty/fnplugin_test.go
@@ -11,7 +11,7 @@ import (
 	"sigs.k8s.io/kustomize/kyaml/filesys"
 )
 
-const execFile = `#!/bin/sh
+const generateDeploymentDotSh = `#!/bin/sh
 
 cat <<EOF
 apiVersion: apps/v1
@@ -68,9 +68,9 @@ stringData:
     bootcmd:
     - mkdir /mnt/vda
 `)
-	th.WriteF(filepath.Join(tmpDir.String(), "exec.sh"), execFile)
+	th.WriteF(filepath.Join(tmpDir.String(), "generateDeployment.sh"), generateDeploymentDotSh)
 
-	assert.NoError(t, os.Chmod(filepath.Join(tmpDir.String(), "exec.sh"), 0777))
+	assert.NoError(t, os.Chmod(filepath.Join(tmpDir.String(), "generateDeployment.sh"), 0777))
 	th.WriteF(filepath.Join(tmpDir.String(), "gener.yaml"), `
 kind: executable
 metadata:
@@ -78,7 +78,7 @@ metadata:
   annotations:
     config.kubernetes.io/function: |
       exec:
-        path: ./exec.sh
+        path: ./generateDeployment.sh
 spec:
 `)
 
@@ -159,9 +159,9 @@ stringData:
     bootcmd:
     - mkdir /mnt/vda
 `)
-	th.WriteF(filepath.Join(base, "exec.sh"), execFile)
+	th.WriteF(filepath.Join(base, "generateDeployment.sh"), generateDeploymentDotSh)
 
-	assert.NoError(t, os.Chmod(filepath.Join(base, "exec.sh"), 0777))
+	assert.NoError(t, os.Chmod(filepath.Join(base, "generateDeployment.sh"), 0777))
 	th.WriteF(filepath.Join(base, "gener.yaml"), `
 kind: executable
 metadata:
@@ -169,7 +169,7 @@ metadata:
   annotations:
     config.kubernetes.io/function: |
       exec:
-        path: ./exec.sh
+        path: ./generateDeployment.sh
 spec:
 `)
 
diff --git a/api/resmap/reswrangler.go b/api/resmap/reswrangler.go
index 391d11f523..5bdc5c585e 100644
--- a/api/resmap/reswrangler.go
+++ b/api/resmap/reswrangler.go
@@ -88,19 +88,6 @@ func (m *resWrangler) append(res *resource.Resource) {
 	m.rList = append(m.rList, res)
 }
 
-// AnnotateAll implements ResMap
-func (m *resWrangler) AnnotateAll(key string, value string) error {
-	return m.ApplyFilter(annotations.Filter{
-		Annotations: map[string]string{
-			key: value,
-		},
-		FsSlice: []types.FieldSpec{{
-			Path:               "metadata/annotations",
-			CreateIfNotPresent: true,
-		}},
-	})
-}
-
 // Remove implements ResMap.
 func (m *resWrangler) Remove(adios resid.ResId) error {
 	var rList []*resource.Resource
@@ -545,6 +532,19 @@ func (m *resWrangler) appendReplaceOrMerge(res *resource.Resource) error {
 	}
 }
 
+// AnnotateAll implements ResMap
+func (m *resWrangler) AnnotateAll(key string, value string) error {
+	return m.ApplyFilter(annotations.Filter{
+		Annotations: map[string]string{
+			key: value,
+		},
+		FsSlice: []types.FieldSpec{{
+			Path:               "metadata/annotations",
+			CreateIfNotPresent: true,
+		}},
+	})
+}
+
 // Select returns a list of resources that
 // are selected by a Selector
 func (m *resWrangler) Select(s types.Selector) ([]*resource.Resource, error) {
diff --git a/kyaml/runfn/runfn.go b/kyaml/runfn/runfn.go
index ca731490a0..7904bf434f 100644
--- a/kyaml/runfn/runfn.go
+++ b/kyaml/runfn/runfn.go
@@ -531,20 +531,17 @@ func getWorkingDirectory(api *yaml.RNode) (string, error) {
 	annotations := api.GetAnnotations()
 	wd, ok := annotations[kioutil.WorkingDirAnnotation]
 	if !ok {
-		var err error
-		wd, err = os.Getwd()
-		if err != nil {
-			return "", err
-		}
-	} else {
-		if !filepath.IsAbs(wd) || !path.IsAbs(wd) {
-			return "", errors.Errorf(
-				"relative working directory %s not allowed", wd)
-		}
-		if wd == "/" {
-			return "", errors.Errorf(
-				"root working directory '/' not allowed")
-		}
+		return os.Getwd()
 	}
+
+	if !filepath.IsAbs(wd) {
+		return "", errors.Errorf(
+			"relative working directory %s not allowed", wd)
+	}
+	if wd == "/" {
+		return "", errors.Errorf(
+			"root working directory '/' not allowed")
+	}
+
 	return wd, nil
 }

From 16482c92d0a591e5fa7cb74c3de41e513cb24d4b Mon Sep 17 00:00:00 2001
From: Natasha Sarkar <natashasarkar@google.com>
Date: Thu, 19 Aug 2021 13:48:12 -0700
Subject: [PATCH 4/5] use a field instead of an annotation

---
 api/internal/plugins/fnplugin/fnplugin.go |  1 +
 api/internal/plugins/loader/loader.go     |  5 +++++
 api/internal/target/kusttarget.go         | 19 +++++--------------
 api/resmap/resmap.go                      |  4 ++++
 api/types/pluginrestrictions.go           |  2 ++
 kyaml/kio/kioutil/kioutil.go              |  4 ----
 kyaml/runfn/runfn.go                      | 14 ++++++++------
 7 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/api/internal/plugins/fnplugin/fnplugin.go b/api/internal/plugins/fnplugin/fnplugin.go
index 76be4b0760..5ee53a282a 100644
--- a/api/internal/plugins/fnplugin/fnplugin.go
+++ b/api/internal/plugins/fnplugin/fnplugin.go
@@ -187,6 +187,7 @@ func (p *FnPlugin) invokePlugin(input []byte) ([]byte, error) {
 	p.runFns.Input = bytes.NewReader(input)
 	p.runFns.Functions = append(p.runFns.Functions, functionConfig)
 	p.runFns.Output = &ouputBuffer
+	p.runFns.WorkDir = p.h.WorkingDir()
 
 	err = p.runFns.Execute()
 	if err != nil {
diff --git a/api/internal/plugins/loader/loader.go b/api/internal/plugins/loader/loader.go
index 7bcce43152..3fff946bba 100644
--- a/api/internal/plugins/loader/loader.go
+++ b/api/internal/plugins/loader/loader.go
@@ -47,6 +47,11 @@ func (l *Loader) Config() *types.PluginConfig {
 	return l.pc
 }
 
+// SetWorkDir sets the working directory for this loader's plugins
+func (l *Loader) SetWorkDir(wd string) {
+	l.pc.FnpLoadingOptions.WorkingDir = wd
+}
+
 func (l *Loader) LoadGenerators(
 	ldr ifc.Loader, v ifc.Validator, rm resmap.ResMap) ([]resmap.Generator, error) {
 	var result []resmap.Generator
diff --git a/api/internal/target/kusttarget.go b/api/internal/target/kusttarget.go
index f601b42530..0141b992f7 100644
--- a/api/internal/target/kusttarget.go
+++ b/api/internal/target/kusttarget.go
@@ -21,7 +21,6 @@ import (
 	"sigs.k8s.io/kustomize/api/resmap"
 	"sigs.k8s.io/kustomize/api/resource"
 	"sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/kustomize/kyaml/kio/kioutil"
 	"sigs.k8s.io/kustomize/kyaml/openapi"
 	"sigs.k8s.io/yaml"
 )
@@ -41,11 +40,13 @@ func NewKustTarget(
 	validator ifc.Validator,
 	rFactory *resmap.Factory,
 	pLdr *loader.Loader) *KustTarget {
+	pLdrCopy := *pLdr
+	pLdrCopy.SetWorkDir(ldr.Root())
 	return &KustTarget{
 		ldr:       ldr,
 		validator: validator,
 		rFactory:  rFactory,
-		pLdr:      pLdr,
+		pLdr:      &pLdrCopy,
 	}
 }
 
@@ -263,12 +264,7 @@ func (kt *KustTarget) configureExternalGenerators() ([]resmap.Generator, error)
 	if err != nil {
 		return nil, err
 	}
-	m := ra.ResMap()
-	err = m.AnnotateAll(kioutil.WorkingDirAnnotation, kt.ldr.Root())
-	if err != nil {
-		return nil, err
-	}
-	return kt.pLdr.LoadGenerators(kt.ldr, kt.validator, m)
+	return kt.pLdr.LoadGenerators(kt.ldr, kt.validator, ra.ResMap())
 }
 
 func (kt *KustTarget) runTransformers(ra *accumulator.ResAccumulator) error {
@@ -305,12 +301,7 @@ func (kt *KustTarget) configureExternalTransformers(transformers []string) ([]re
 	if err != nil {
 		return nil, err
 	}
-	m := ra.ResMap()
-	err = m.AnnotateAll(kioutil.WorkingDirAnnotation, kt.ldr.Root())
-	if err != nil {
-		return nil, err
-	}
-	return kt.pLdr.LoadTransformers(kt.ldr, kt.validator, m)
+	return kt.pLdr.LoadTransformers(kt.ldr, kt.validator, ra.ResMap())
 }
 
 func (kt *KustTarget) runValidators(ra *accumulator.ResAccumulator) error {
diff --git a/api/resmap/resmap.go b/api/resmap/resmap.go
index 7c0c2ea802..8327543ae2 100644
--- a/api/resmap/resmap.go
+++ b/api/resmap/resmap.go
@@ -66,6 +66,10 @@ func (c *PluginHelpers) Validator() ifc.Validator {
 	return c.v
 }
 
+func (c *PluginHelpers) WorkingDir() string {
+	return c.pc.FnpLoadingOptions.WorkingDir
+}
+
 type GeneratorPlugin interface {
 	Generator
 	Configurable
diff --git a/api/types/pluginrestrictions.go b/api/types/pluginrestrictions.go
index b1ab2221f6..88b03b3f5b 100644
--- a/api/types/pluginrestrictions.go
+++ b/api/types/pluginrestrictions.go
@@ -57,4 +57,6 @@ type FnPluginLoadingOptions struct {
 	Env []string
 	// Run as uid and gid of the command executor
 	AsCurrentUser bool
+	// Run in this working directory
+	WorkingDir string
 }
diff --git a/kyaml/kio/kioutil/kioutil.go b/kyaml/kio/kioutil/kioutil.go
index 16155e4b26..993cdfd848 100644
--- a/kyaml/kio/kioutil/kioutil.go
+++ b/kyaml/kio/kioutil/kioutil.go
@@ -25,10 +25,6 @@ const (
 
 	// SeqIndentAnnotation records the sequence nodes indentation of the input resource
 	SeqIndentAnnotation AnnotationKey = "internal.config.kubernetes.io/seqindent"
-
-	// WorkingDirAnnotation records the directory of the kustomization that
-	// refers to the resource
-	WorkingDirAnnotation AnnotationKey = "internal.config.kubernetes.io/working-dir"
 )
 
 func GetFileAnnotations(rn *yaml.RNode) (string, string, error) {
diff --git a/kyaml/runfn/runfn.go b/kyaml/runfn/runfn.go
index 7904bf434f..f85788dfb9 100644
--- a/kyaml/runfn/runfn.go
+++ b/kyaml/runfn/runfn.go
@@ -101,6 +101,10 @@ type RunFns struct {
 	// If it is true, the empty result will be provided as input to the next
 	// function in the list.
 	ContinueOnEmptyResult bool
+
+	// WorkDir specifies which working directory an exec function should run in.
+	// If this is empty, fall back to the current working directory.
+	WorkDir string
 }
 
 // Execute runs the command
@@ -507,13 +511,13 @@ func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode, currentUser
 	}
 
 	if r.EnableExec && spec.Exec.Path != "" {
-		wd, err := getWorkingDirectory(api)
+		wd, err := getWorkingDirectory(r.WorkDir)
 		if err != nil {
 			return nil, err
 		}
 
 		ef := &exec.Filter{
-			Path: spec.Exec.Path,
+			Path:       spec.Exec.Path,
 			WorkingDir: wd,
 		}
 
@@ -527,10 +531,8 @@ func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode, currentUser
 	return nil, nil
 }
 
-func getWorkingDirectory(api *yaml.RNode) (string, error) {
-	annotations := api.GetAnnotations()
-	wd, ok := annotations[kioutil.WorkingDirAnnotation]
-	if !ok {
+func getWorkingDirectory(wd string) (string, error) {
+	if wd == "" {
 		return os.Getwd()
 	}
 

From 05228bbfed5bc4cb18903b2a7e8a5ee4cae27f5b Mon Sep 17 00:00:00 2001
From: Natasha Sarkar <natashasarkar@google.com>
Date: Thu, 19 Aug 2021 15:10:33 -0700
Subject: [PATCH 5/5] more code review

---
 api/internal/plugins/fnplugin/fnplugin.go |  2 +-
 api/internal/target/kusttarget.go         |  1 -
 api/resmap/resmap.go                      |  4 ----
 cmd/config/internal/commands/run-fns.go   |  8 +++++++
 cmd/config/internal/commands/run_test.go  | 18 +++++++++-----
 kyaml/fn/runtime/exec/exec.go             | 10 ++++++++
 kyaml/runfn/runfn.go                      | 29 ++++-------------------
 7 files changed, 36 insertions(+), 36 deletions(-)

diff --git a/api/internal/plugins/fnplugin/fnplugin.go b/api/internal/plugins/fnplugin/fnplugin.go
index 5ee53a282a..84bc0ac059 100644
--- a/api/internal/plugins/fnplugin/fnplugin.go
+++ b/api/internal/plugins/fnplugin/fnplugin.go
@@ -79,6 +79,7 @@ func NewFnPlugin(o *types.FnPluginLoadingOptions) *FnPlugin {
 			StorageMounts:  toStorageMounts(o.Mounts),
 			Env:            o.Env,
 			AsCurrentUser:  o.AsCurrentUser,
+			WorkingDir:     o.WorkingDir,
 		},
 	}
 }
@@ -187,7 +188,6 @@ func (p *FnPlugin) invokePlugin(input []byte) ([]byte, error) {
 	p.runFns.Input = bytes.NewReader(input)
 	p.runFns.Functions = append(p.runFns.Functions, functionConfig)
 	p.runFns.Output = &ouputBuffer
-	p.runFns.WorkDir = p.h.WorkingDir()
 
 	err = p.runFns.Execute()
 	if err != nil {
diff --git a/api/internal/target/kusttarget.go b/api/internal/target/kusttarget.go
index 0141b992f7..45e021e245 100644
--- a/api/internal/target/kusttarget.go
+++ b/api/internal/target/kusttarget.go
@@ -296,7 +296,6 @@ func (kt *KustTarget) configureExternalTransformers(transformers []string) ([]re
 		}
 		ra.AppendAll(rm)
 	}
-
 	ra, err := kt.accumulateResources(ra, transformerPaths, &resource.Origin{})
 	if err != nil {
 		return nil, err
diff --git a/api/resmap/resmap.go b/api/resmap/resmap.go
index 8327543ae2..7c0c2ea802 100644
--- a/api/resmap/resmap.go
+++ b/api/resmap/resmap.go
@@ -66,10 +66,6 @@ func (c *PluginHelpers) Validator() ifc.Validator {
 	return c.v
 }
 
-func (c *PluginHelpers) WorkingDir() string {
-	return c.pc.FnpLoadingOptions.WorkingDir
-}
-
 type GeneratorPlugin interface {
 	Generator
 	Configurable
diff --git a/cmd/config/internal/commands/run-fns.go b/cmd/config/internal/commands/run-fns.go
index a28e0b2b9f..684d940c20 100644
--- a/cmd/config/internal/commands/run-fns.go
+++ b/cmd/config/internal/commands/run-fns.go
@@ -6,6 +6,7 @@ package commands
 import (
 	"fmt"
 	"io"
+	"os"
 	"strings"
 
 	"github.com/spf13/cobra"
@@ -73,6 +74,7 @@ func GetRunFnRunner(name string) *RunFnRunner {
 		"a list of environment variables to be used by functions")
 	r.Command.Flags().BoolVar(
 		&r.AsCurrentUser, "as-current-user", false, "use the uid and gid of the command executor to run the function in the container")
+
 	return r
 }
 
@@ -302,6 +304,11 @@ func (r *RunFnRunner) preRunE(c *cobra.Command, args []string) error {
 	// parse mounts to set storageMounts
 	storageMounts := toStorageMounts(r.Mounts)
 
+	wd, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+
 	r.RunFns = runfn.RunFns{
 		FunctionPaths:  r.FnPaths,
 		GlobalScope:    r.GlobalScope,
@@ -317,6 +324,7 @@ func (r *RunFnRunner) preRunE(c *cobra.Command, args []string) error {
 		LogSteps:       r.LogSteps,
 		Env:            r.Env,
 		AsCurrentUser:  r.AsCurrentUser,
+		WorkingDir:     wd,
 	}
 
 	// don't consider args for the function
diff --git a/cmd/config/internal/commands/run_test.go b/cmd/config/internal/commands/run_test.go
index bf9c682276..5a8ca8e268 100644
--- a/cmd/config/internal/commands/run_test.go
+++ b/cmd/config/internal/commands/run_test.go
@@ -11,13 +11,14 @@ import (
 
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
-
 	"sigs.k8s.io/kustomize/kyaml/runfn"
 )
 
 // TestRunFnCommand_preRunE verifies that preRunE correctly parses the commandline
 // flags and arguments into the RunFns structure to be executed.
 func TestRunFnCommand_preRunE(t *testing.T) {
+	wd, err := os.Getwd()
+	assert.NoError(t, err)
 	tests := []struct {
 		name           string
 		args           []string
@@ -201,6 +202,7 @@ apiVersion: v1
 				Path:           "dir",
 				EnableStarlark: true,
 				Env:            []string{},
+				WorkingDir:     wd,
 			},
 		},
 		{
@@ -254,6 +256,7 @@ apiVersion: v1
 				Path:       "dir",
 				ResultsDir: "foo/",
 				Env:        []string{},
+				WorkingDir: wd,
 			},
 			expected: `
 metadata:
@@ -286,9 +289,10 @@ apiVersion: v1
 			args: []string{"run", "dir", "--log-steps"},
 			path: "dir",
 			expectedStruct: &runfn.RunFns{
-				Path:     "dir",
-				LogSteps: true,
-				Env:      []string{},
+				Path:       "dir",
+				LogSteps:   true,
+				Env:        []string{},
+				WorkingDir: wd,
 			},
 		},
 		{
@@ -296,8 +300,9 @@ apiVersion: v1
 			args: []string{"run", "dir", "--env", "FOO=BAR", "-e", "BAR"},
 			path: "dir",
 			expectedStruct: &runfn.RunFns{
-				Path: "dir",
-				Env:  []string{"FOO=BAR", "BAR"},
+				Path:       "dir",
+				Env:        []string{"FOO=BAR", "BAR"},
+				WorkingDir: wd,
 			},
 		},
 		{
@@ -308,6 +313,7 @@ apiVersion: v1
 				Path:          "dir",
 				AsCurrentUser: true,
 				Env:           []string{},
+				WorkingDir:    wd,
 			},
 		},
 	}
diff --git a/kyaml/fn/runtime/exec/exec.go b/kyaml/fn/runtime/exec/exec.go
index 7bab904c6a..628d3dac8e 100644
--- a/kyaml/fn/runtime/exec/exec.go
+++ b/kyaml/fn/runtime/exec/exec.go
@@ -7,7 +7,9 @@ import (
 	"io"
 	"os"
 	"os/exec"
+	"path/filepath"
 
+	"sigs.k8s.io/kustomize/kyaml/errors"
 	"sigs.k8s.io/kustomize/kyaml/fn/runtime/runtimeutil"
 	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
@@ -37,6 +39,14 @@ func (c *Filter) Run(reader io.Reader, writer io.Writer) error {
 	cmd.Stdout = writer
 	cmd.Stderr = os.Stderr
 	if c.WorkingDir != "" {
+		if !filepath.IsAbs(c.WorkingDir) {
+			return errors.Errorf(
+				"relative working directory %s not allowed", c.WorkingDir)
+		}
+		if c.WorkingDir == "/" {
+			return errors.Errorf(
+				"root working directory '/' not allowed")
+		}
 		cmd.Dir = c.WorkingDir
 	}
 	return cmd.Run()
diff --git a/kyaml/runfn/runfn.go b/kyaml/runfn/runfn.go
index f85788dfb9..05f57f8ff8 100644
--- a/kyaml/runfn/runfn.go
+++ b/kyaml/runfn/runfn.go
@@ -102,9 +102,8 @@ type RunFns struct {
 	// function in the list.
 	ContinueOnEmptyResult bool
 
-	// WorkDir specifies which working directory an exec function should run in.
-	// If this is empty, fall back to the current working directory.
-	WorkDir string
+	// WorkingDir specifies which working directory an exec function should run in.
+	WorkingDir string
 }
 
 // Execute runs the command
@@ -511,14 +510,13 @@ func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode, currentUser
 	}
 
 	if r.EnableExec && spec.Exec.Path != "" {
-		wd, err := getWorkingDirectory(r.WorkDir)
-		if err != nil {
-			return nil, err
+		if r.WorkingDir == "" {
+			return nil, fmt.Errorf("no working directory set for exec function")
 		}
 
 		ef := &exec.Filter{
 			Path:       spec.Exec.Path,
-			WorkingDir: wd,
+			WorkingDir: r.WorkingDir,
 		}
 
 		ef.FunctionConfig = api
@@ -530,20 +528,3 @@ func (r *RunFns) ffp(spec runtimeutil.FunctionSpec, api *yaml.RNode, currentUser
 
 	return nil, nil
 }
-
-func getWorkingDirectory(wd string) (string, error) {
-	if wd == "" {
-		return os.Getwd()
-	}
-
-	if !filepath.IsAbs(wd) {
-		return "", errors.Errorf(
-			"relative working directory %s not allowed", wd)
-	}
-	if wd == "/" {
-		return "", errors.Errorf(
-			"root working directory '/' not allowed")
-	}
-
-	return wd, nil
-}