All Policies
Unique Ingress Host
An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest.
Policy Definition
/other/restrict-ingress-host/restrict-ingress-host.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: unique-ingress-host
5 annotations:
6 policies.kyverno.io/title: Unique Ingress Host
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Ingress
10 policies.kyverno.io/minversion: 1.6.0
11 policies.kyverno.io/description: >-
12 An Ingress host is a URL at which services may be made available externally. In most cases,
13 these hosts should be unique across the cluster to ensure no routing conflicts occur.
14 This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster.
15 It also ensures that only a single host may be specified in a given manifest.
16spec:
17 validationFailureAction: audit
18 background: false
19 rules:
20 - name: check-single-host-create
21 match:
22 any:
23 - resources:
24 kinds:
25 - Ingress
26 context:
27 - name: hosts
28 apiCall:
29 urlPath: "/apis/networking.k8s.io/v1/ingresses"
30 jmesPath: "items[].spec.rules[].host"
31 preconditions:
32 all:
33 - key: "{{request.operation || 'BACKGROUND'}}"
34 operator: Equals
35 value: CREATE
36 validate:
37 message: "The Ingress host name must be unique."
38 deny:
39 conditions:
40 all:
41 - key: "{{ request.object.spec.rules[].host }}"
42 operator: AnyIn
43 value: "{{ hosts }}"
44 - name: check-single-host-update
45 match:
46 any:
47 - resources:
48 kinds:
49 - Ingress
50 preconditions:
51 all:
52 - key: "{{request.operation || 'BACKGROUND'}}"
53 operator: Equals
54 value: UPDATE
55 context:
56 - name: allhosts
57 apiCall:
58 urlPath: "/apis/networking.k8s.io/v1/ingresses"
59 jmesPath: "items[?metadata.uid!='{{ request.object.metadata.uid }}'].spec.rules[].host"
60 validate:
61 message: "The Ingress host name must be unique."
62 deny:
63 conditions:
64 all:
65 - key: "{{ request.object.spec.rules[].host }}"
66 operator: AnyIn
67 value: "{{ allhosts }}"
68 - name: deny-multiple-hosts
69 match:
70 any:
71 - resources:
72 kinds:
73 - Ingress
74 preconditions:
75 all:
76 - key: "{{request.operation || 'BACKGROUND'}}"
77 operator: AnyIn
78 value:
79 - CREATE
80 - UPDATE
81 - key: "{{ request.object.spec.rules[].host | length(@)}}"
82 operator: GreaterThan
83 value: 1
84 validate:
85 message: "An Ingress resource may only contain a single host entry."
86 deny: {}