Virtual Services optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given resource. This policy enforces that any Virtual Service host does not contain a wildcard character and allows for more governance when a single mesh deployment model is used.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: restrict-virtual-service-wildcardannotations:policies.kyverno.io/title: Restrict Virtual Service Host with Wildcardspolicies.kyverno.io/category: Istiopolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.8.4policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/subject: VirtualServicepolicies.kyverno.io/description: Virtual Services optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given resource. This policy enforces that any Virtual Service host does not contain a wildcard character and allows for more governance when a single mesh deployment model is used.spec:validationFailureAction: Auditbackground: truerules:- name: block-virtual-service-wildcardmatch:any:- resources:kinds:- VirtualServicepreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: AnyInvalue:- CREATE- UPDATEvalidate:message: Wildcards are not permitted as hosts.foreach:- list: request.object.spec.hostsdeny:conditions:any:- key: "{{ contains(element, '*') }}"operator: Equalsvalue: true
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.