All Policies
Restrict Ingress Host with Wildcards
Ingress hosts optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given Ingress resource. This policy enforces that any Ingress host does not contain a wildcard character.
Policy Definition
/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-ingress-wildcard
5 annotations:
6 policies.kyverno.io/title: Restrict Ingress Host with Wildcards
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.6.2
10 policies.kyverno.io/minversion: 1.6.0
11 kyverno.io/kubernetes-version: "1.23"
12 policies.kyverno.io/subject: Ingress
13 policies.kyverno.io/description: >-
14 Ingress hosts optionally accept a wildcard as an alternative
15 to precise matching. In some cases, this may be too permissive as it
16 would direct unintended traffic to the given Ingress resource. This
17 policy enforces that any Ingress host does not contain a wildcard
18 character.
19spec:
20 validationFailureAction: audit
21 background: true
22 rules:
23 - name: block-ingress-wildcard
24 match:
25 any:
26 - resources:
27 kinds:
28 - Ingress
29 preconditions:
30 all:
31 - key: "{{ request.operation || 'BACKGROUND' }}"
32 operator: AnyIn
33 value: ["CREATE", "UPDATE"]
34 validate:
35 message: "Wildcards are not permitted as hosts."
36 foreach:
37 - list: "request.object.spec.rules"
38 deny:
39 conditions:
40 any:
41 - key: "{{ contains(element.host, '*') }}"
42 operator: Equals
43 value: true