Multiple matches error when using ClusterRole resourceNames for resource in multiple namespaces

[tbarrella]

Hello! This seems like a bug that's easiest to illustrate with an example. Is this meant to be handleable?

conifg.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: dummy
  namespace: default
type: Opaque
data:
  dummy: ""
---
apiVersion: v1
kind: Secret
metadata:
  name: dummy
  namespace: kube-system
type: Opaque
data:
  dummy: ""
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dummy
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["dummy"]
  verbs: ["get"]

kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- config.yaml

Output:

$ kustomize build .
Error: Multiple matches for name ~G_v1_Secret|default|~P|dummy|~S:
 [~G_v1_Secret|default|~P|dummy|~S ~G_v1_Secret|kube-system|~P|dummy|~S]

[Liujingfang1]

@tbarrella Each item in resourceNames is supposed to match with one resource in the Kustomization. Thus when the resource name changes, kustomize can also update resourceName. With two dummy secrets, Kustomize doesn't know which one to match with.
What is your use case? Do you have to use multiple Secrets with the same name?

[tbarrella]

The reason this happened was using Skaffold with multiple Kaniko namespaces. Skaffold Config uses "docker-cfg" and "kaniko-secret" as default secret names, so those secrets were defined for multiple namespaces. I definitely wouldn't see this as a very big issue though

[jbrette]

@tbarrella Seems that pull request 1266 addresses the issue.

Saved the configuration files used to reproduce here.

kustomize build .

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dummy
rules:
- apiGroups:
  - ""
  resourceNames:
  - dummy
  resources:
  - secrets
  verbs:
  - get
---
apiVersion: v1
data:
  dummy: ""
kind: Secret
metadata:
  name: dummy
  namespace: default
type: Opaque
---
apiVersion: v1
data:
  dummy: ""
kind: Secret
metadata:
  name: dummy
  namespace: kube-system
type: Opaque

[jbrette]

@tbarrella Can you confirm 3.0.3 is fixing th issue.

$HOME/bin/kustomize.3.0.3 build .

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: dummy
rules:
- apiGroups:
  - ""
  resourceNames:
  - dummy
  resources:
  - secrets
  verbs:
  - get
---
apiVersion: v1
data:
  dummy: ""
kind: Secret
metadata:
  name: dummy
  namespace: default
type: Opaque
---
apiVersion: v1
data:
  dummy: ""
kind: Secret
metadata:
  name: dummy
  namespace: kube-system
type: Opaque

[tbarrella]

Yes, this looks fixed in 3.0.3, nice/thank you!