Require unique host names in OpenShift routes

 1---
 2apiVersion: kyverno.io/v1
 3kind: ClusterPolicy
 4metadata:
 5  name: unique-routes
 6  annotations:
 7    policies.kyverno.io/title: Require unique host names in OpenShift routes
 8    policies.kyverno.io/category: OpenShift
 9    policies.kyverno.io/severity: high
10    kyverno.io/kyverno-version: 1.6.0
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.20"
13    policies.kyverno.io/subject: Route
14    policies.kyverno.io/description: >-
15      An Route host is a URL at which services may be made available externally. In most cases,
16      these hosts should be unique across the cluster to ensure no routing conflicts occur.
17      This policy checks an incoming Route resource to ensure its hosts are unique to the cluster.
18spec:
19  validationFailureAction: Enforce
20  background: false
21  rules:
22    - name: require-unique-routes
23      match:
24        any:
25          - resources:
26              kinds:
27                - route.openshift.io/v1/Route
28      context:
29        - name: hosts
30          apiCall:
31            urlPath: "/apis/route.openshift.io/v1/Routes"
32            jmesPath: "items[].spec.host"
33      preconditions:
34        all:
35          - key: "{{ request.operation || 'BACKGROUND' }}"
36            operator: NotEquals
37            value: "DELETE"
38      validate:
39        message: >-
40          The Route host name must be unique.
41        deny:
42          conditions:
43            all:
44              - key: "{{ request.object.spec.host }}"
45                operator: AnyIn
46                value: "{{ hosts }}"