Skip to content
Blog / DevOps / Declarative GitFlow: restrict kustomize to master branch

Declarative GitFlow: restrict kustomize to master branch

You believe in declarative, in GitFlow, in small feature branches. Perfect. Your team is now making small changes on a branch and Merge Requests are happening, the CI is happening, all is good in the world.

Except sometimes people forget and do a kustomize build . | kubectl apply -f - from the wrong branch (e.g. not master, prior to merge). You know that someday the CD will fix this. But someday is not here.

Enter this small hack piece of brilliance.

$ cat agilicus/v1/branchrestrict/BranchRestrict 
 #!/usr/bin/env /usr/bin/python3
 import subprocess
 import sys
 import fnmatch
 import yaml
 with open(sys.argv[1], 'r') as stream:
         data = yaml.safe_load(stream)
     except yaml.YAMLError as exc:
         print("Error parsing BranchRestrict generator input (%s)",
 branch = subprocess.check_output(['/usr/bin/git',
 def allow(branch, target):
 def denied(branch, target):
     print(f"Error: branch '{branch}', denied by rule '{target}'",
 for target in data['allowed_branches']:
     if fnmatch.filter([branch], target):
         allow(branch, target)

 for target in data['denied_branches']:
     if fnmatch.filter([branch], target):
         denied(branch, target)

OK, a plugin generator. We’ll use that like:

$ cat master-only.yaml 
apiVersion: agilicus/v1
kind: BranchRestrict
  name: not-used-br
name: branch-restrict

Perfect. Now no-one will forget and accidentally apply from their not-yet-merged feature branch. Beauty.

Leave a Reply

Your email address will not be published.