All Policies
Restrict Virtual Service Host with Wildcards
Virtual Services optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given resource. This policy enforces that any Virtual Service host does not contain a wildcard character and allows for more governance when a single mesh deployment model is used.
Policy Definition
/istio/restrict-virtual-service-wildcard/restrict-virtual-service-wildcard.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-virtual-service-wildcard
5 annotations:
6 policies.kyverno.io/title: Restrict Virtual Service Host with Wildcards
7 policies.kyverno.io/category: Istio
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.8.4
10 policies.kyverno.io/minversion: 1.6.0
11 kyverno.io/kubernetes-version: "1.23"
12 policies.kyverno.io/subject: VirtualService
13 policies.kyverno.io/description: >-
14 Virtual Services optionally accept a wildcard as an alternative
15 to precise matching. In some cases, this may be too permissive as it
16 would direct unintended traffic to the given resource. This
17 policy enforces that any Virtual Service host does not contain a wildcard
18 character and allows for more governance when a single mesh deployment
19 model is used.
20spec:
21 validationFailureAction: Audit
22 background: true
23 rules:
24 - name: block-virtual-service-wildcard
25 match:
26 any:
27 - resources:
28 kinds:
29 - VirtualService
30 preconditions:
31 all:
32 - key: "{{ request.operation || 'BACKGROUND' }}"
33 operator: AnyIn
34 value: ["CREATE", "UPDATE"]
35 validate:
36 message: "Wildcards are not permitted as hosts."
37 foreach:
38 - list: "request.object.spec.hosts"
39 deny:
40 conditions:
41 any:
42 - key: "{{ contains(element, '*') }}"
43 operator: Equals
44 value: true