Remote bases & supply chain
Pinning and trusting external bases.
A kustomization can reference a remote base by URL — a Git repo, a specific path and ref — so you can build on shared manifests published elsewhere (a platform team’s base, an upstream project’s install manifests). It is powerful for reuse, and it is a supply-chain surface: a remote base contributes real resources to your build, so whoever controls that URL controls part of what you deploy.
resources:# pin to an exact ref (tag or commit SHA), never a moving branch- github.com/acme/platform-base//overlays/secure?ref=v1.4.0- ./deployment.yaml
Pin, review, and prefer vendoring
Treat a remote base like any dependency: pin it to an immutable ref (a tag or, best, a commit SHA) rather than ?ref=main, which pulls whatever that branch is today. For high-assurance setups, vendor the base into your repo (copy it in, or use a tool that does) so your build does not depend on a live external fetch and you review changes as diffs. Always kustomize build and inspect what a remote base actually contributes.
$ kustomize build . | kubeconform -strict # validate the assembled result# review exactly what the remote base added before applying — it is code you run