Back to Policies

Disallow empty Ingress host

An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-empty-ingress-host
  annotations:
    policies.kyverno.io/title: Disallow empty Ingress host
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Ingress
    policies.kyverno.io/description: An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined.
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: disallow-empty-ingress-host
      match:
        any:
          - resources:
              kinds:
                - Ingress
      validate:
        message: The Ingress host name must be defined, not empty.
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.rules[].host || `[]` | length(@) }}"
                operator: NotEquals
                value: "{{ request.object.spec.rules[].http || `[]` | length(@) }}"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application