All Policies
Require Ingress HTTPS
Ingress resources should only allow secure traffic by disabling HTTP and therefore only allowing HTTPS. This policy requires that all Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to `"false"` and specify TLS in the spec.
Policy Definition
/other/require-ingress-https/require-ingress-https.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: require-ingress-https
5 annotations:
6 policies.kyverno.io/title: Require Ingress HTTPS
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.9.0
10 kyverno.io/kubernetes-version: "1.24"
11 policies.kyverno.io/subject: Ingress
12 policies.kyverno.io/description: >-
13 Ingress resources should only allow secure traffic by disabling
14 HTTP and therefore only allowing HTTPS. This policy requires that all
15 Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to
16 `"false"` and specify TLS in the spec.
17spec:
18 background: true
19 validationFailureAction: audit
20 rules:
21 - name: has-annotation
22 match:
23 any:
24 - resources:
25 kinds:
26 - Ingress
27 preconditions:
28 all:
29 - key: "{{request.operation || 'BACKGROUND'}}"
30 operator: AnyIn
31 value:
32 - CREATE
33 - UPDATE
34 validate:
35 message: "The kubernetes.io/ingress.allow-http annotation must be set to false."
36 pattern:
37 metadata:
38 annotations:
39 kubernetes.io/ingress.allow-http: "false"
40 - name: has-tls
41 match:
42 any:
43 - resources:
44 kinds:
45 - Ingress
46 preconditions:
47 all:
48 - key: "{{request.operation || 'BACKGROUND'}}"
49 operator: AnyIn
50 value:
51 - CREATE
52 - UPDATE
53 validate:
54 message: "TLS must be defined."
55 deny:
56 conditions:
57 all:
58 - key: tls
59 operator: AnyNotIn
60 value: "{{ request.object.spec.keys(@) }}"