All Policies

Restrict Ingress Host with Wildcards

Ingress hosts optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given Ingress resource. This policy enforces that any Ingress host does not contain a wildcard character.

Policy Definition

/other/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-ingress-wildcard
 5  annotations:
 6    policies.kyverno.io/title: Restrict Ingress Host with Wildcards
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.2
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Ingress
13    policies.kyverno.io/description: >-
14      Ingress hosts optionally accept a wildcard as an alternative
15      to precise matching. In some cases, this may be too permissive as it
16      would direct unintended traffic to the given Ingress resource. This
17      policy enforces that any Ingress host does not contain a wildcard
18      character.      
19spec:
20  validationFailureAction: audit
21  background: true
22  rules:
23    - name: block-ingress-wildcard
24      match:
25        any:
26        - resources:
27            kinds:
28              - Ingress
29      preconditions:
30        all:
31        - key: "{{ request.operation || 'BACKGROUND' }}"
32          operator: AnyIn
33          value: ["CREATE", "UPDATE"]
34      validate:
35        message: "Wildcards are not permitted as hosts."
36        foreach:
37        - list: "request.object.spec.rules"
38          deny:
39            conditions:
40              any:
41              - key: "{{ contains(element.host, '*') }}"
42                operator: Equals
43                value: true