Allow more k8s actions in untrusted context

Allow the use of the k8s module in the untrusted execution context,
but check the 'src' and other attributes to make sure it isn't trying
to load a file from outside the executor work dir.  Otherwise,
this should be safe since it only operates on external resources.

Also, the add_host module can already be used with kubectl, but
it does not allow setting the namespace which may be necessary
if the credential being used isn't already scoped to the target
namespace.  Allow the ansible_kubectl_namespace option to be
used with add_host.

Change-Id: Id4f4dda2f7b743752553718aec69507bbc7a5b12

zuul/ansible/base/action/add_host.py

@@ -33,6 +33,7 @@ class ActionModule(add_host.ActionModule):
             'ansible_ssh_pass',
             'ansible_fqdn',
             'ansible_private_key_file',
+            'ansible_kubectl_namespace',
         ))
         args = set(filter(
             lambda x: x.startswith('ansible_'), self._task.args.keys()))

zuul/ansible/base/action/normal.py

@@ -116,3 +116,16 @@ class ActionModule(normal.ActionModule):
                 " Only {allowed_schemes} are allowed".format(
                     scheme=scheme,
                     allowed_schemes=ALLOWED_URL_SCHEMES))
+
+    def handle_k8s(self):
+        '''Allow k8s module on localhost if it doesn't touch unsafe files.
+
+        The :ansible:module:`k8s` can be used from the executor to modify
+        k8s resources.  Several options refer to local paths; check that
+        they are constrained to the work dir.
+        '''
+        for arg in ('src', 'ca_cert', 'client_cert',
+                    'client_key', 'kubeconfig'):
+            path = self._task.args.get(arg)
+            if path:
+                paths._fail_if_unsafe(path)