All Policies

Unique Ingress Host

An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest.

Policy Definition

/other/restrict-ingress-host/restrict-ingress-host.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: unique-ingress-host
 5  annotations:
 6    policies.kyverno.io/title: Unique Ingress Host
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/description: >-
12      An Ingress host is a URL at which services may be made available externally. In most cases,
13      these hosts should be unique across the cluster to ensure no routing conflicts occur.
14      This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster.
15      It also ensures that only a single host may be specified in a given manifest.            
16spec:
17  validationFailureAction: audit
18  background: false
19  rules:
20    - name: check-single-host-create
21      match:
22        any:
23        - resources:
24            kinds:
25              - Ingress
26      context:
27        - name: hosts
28          apiCall:
29            urlPath: "/apis/networking.k8s.io/v1/ingresses"
30            jmesPath: "items[].spec.rules[].host"
31      preconditions:
32        all:
33        - key: "{{request.operation || 'BACKGROUND'}}"
34          operator: Equals
35          value: CREATE
36      validate:
37        message: "The Ingress host name must be unique."
38        deny:
39          conditions:
40            all:
41              - key: "{{ request.object.spec.rules[].host }}"
42                operator: AnyIn
43                value: "{{ hosts }}"
44    - name: check-single-host-update
45      match:
46        any:
47        - resources:
48            kinds:
49              - Ingress
50      preconditions:
51        all:
52        - key: "{{request.operation || 'BACKGROUND'}}"
53          operator: Equals
54          value: UPDATE
55      context:
56        - name: allhosts
57          apiCall:
58            urlPath: "/apis/networking.k8s.io/v1/ingresses"
59            jmesPath: "items[?metadata.uid!='{{ request.object.metadata.uid }}'].spec.rules[].host"
60      validate:
61        message: "The Ingress host name must be unique."
62        deny:
63          conditions:
64            all:
65              - key: "{{ request.object.spec.rules[].host }}"
66                operator: AnyIn
67                value: "{{ allhosts }}"
68    - name: deny-multiple-hosts
69      match:
70        any:
71        - resources:
72            kinds:
73              - Ingress
74      preconditions:
75        all:
76        - key: "{{request.operation || 'BACKGROUND'}}"
77          operator: AnyIn
78          value:
79          - CREATE
80          - UPDATE
81        - key: "{{ request.object.spec.rules[].host | length(@)}}"
82          operator: GreaterThan
83          value: 1
84      validate:
85        message: "An Ingress resource may only contain a single host entry."
86        deny: {}