Kustomize hangs on replacements with regex key-value pair and create: true

[sfbahr]

What happened?

kustomize build or kubectl kustomize both hang indefinitely

What did you expect to happen?

Resources are output with correct replacements

How can we reproduce it (as minimally and precisely as possible)?

I've recreated this with a minimal repo here: https://github.com/sfbahr/kustomize-replacement-bug/tree/broken

The key pieces of config are:

replacements:
- targets:
  - fieldPaths:
    - spec.containers.[name=^logshipper$]
    options:
      create: true

Expected output

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx:1.14.2
    name: nginx
    ports:
    - containerPort: 80
  - command:
    - sh
    - -c
    - tail -F /opt/logs.txt
    image: alpine:latest
    name: logshipper
    restartPolicy: Always

Actual output

None

Kustomize version

v5.5.0

Operating system

Linux

[aaroniscode]

@sfbahr

I tested this on a Mac OS v15.1.1, installed Kustomize v5.5.5 using brew install and it runs fine and produces the expected output.

What Linux Distro and version were you using?

[sfbahr]

@aaroniscode are you sure you switched to the broken branch in my reproduction repo? I'm able to reproduce this on MacOS 15.2 w/ Kustomize v5.5.0 using brew install.

sbahr@sbahr kustomize-replacement-bug % git branch
* broken
  main
sbahr@sbahr kustomize-replacement-bug % kustomize version
v5.5.0
sbahr@sbahr kustomize-replacement-bug % kustomize build
[hangs forever...]

Edit: I originally found this bug on Ubuntu 18.04

[aaroniscode]

I am able to reproduce the issue using the broken branch. As soon as the fieldPath is changed from:

- spec.containers.[name=logshipper]

to

- spec.containers.[name=^logshipper$]

Kustomize appears to run in an infinite loop consuming a lot of CPU and memory usage goes up and down but trends higher and left running for hours will consume over 1GB of memory.

The documentation for Field Path format states:

After kustomize v4.5.3, The index by key-value pair option matches any values with regexp. If you want to exact match, please use the exact match operand in value. e.g., spec.template.spec.containers.[name=^nginx$].image

So this appears to be a valid use case.

/triage accepted

[dims]

@koba1t @natasha41575 looks like it is easy to reproduce with a tiny change in an existing test case as well (goes into infinite loop)

diff --git a/api/filters/replacement/replacement_test.go b/api/filters/replacement/replacement_test.go
index 7619e5fc9d3b..2e55ff49037a 100644
--- a/api/filters/replacement/replacement_test.go
+++ b/api/filters/replacement/replacement_test.go
@@ -1527,7 +1527,7 @@ spec:
     options:
       create: true
     fieldPaths:
-    - spec.template.spec.containers.[image=nginx].env.[name=deployment-name].value
+    - spec.template.spec.containers.[image=nginx].env.[name=^deployment-name$].value
 `,
 			expected: `apiVersion: apps/v1
 kind: Deployment

Essentially PathMatcher.doSeq ends up calling itself recursively:
https://github.com/kubernetes-sigs/kustomize/blob/master/kyaml/yaml/match.go#L210-L251

Like so:

Can you please take a look?