All Policies
Ingress Host Match TLS in CEL expressions
Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts.
Policy Definition
/other-cel/ingress-host-match-tls/ingress-host-match-tls.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: ingress-host-match-tls
5 annotations:
6 policies.kyverno.io/title: Ingress Host Match TLS in CEL expressions
7 policies.kyverno.io/category: Other in CEL
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.11.0
10 policies.kyverno.io/minversion: 1.11.0
11 kyverno.io/kubernetes-version: "1.26-1.27"
12 policies.kyverno.io/subject: Ingress
13 policies.kyverno.io/description: >-
14 Ingress resources which name a host name that is not present
15 in the TLS section can produce ingress routing failures as a TLS
16 certificate may not correspond to the destination host. This policy
17 ensures that the host name in an Ingress rule is also found
18 in the list of TLS hosts.
19spec:
20 background: false
21 validationFailureAction: Audit
22 rules:
23 - name: host-match-tls
24 match:
25 any:
26 - resources:
27 kinds:
28 - Ingress
29 operations:
30 - CREATE
31 - UPDATE
32 validate:
33 cel:
34 variables:
35 - name: tls
36 expression: "object.spec.?tls.orValue([])"
37 expressions:
38 - expression: >-
39 object.spec.rules.all(rule,
40 !has(rule.host) ||
41 variables.tls.exists(tls, tls.?hosts.orValue([]).exists(tlsHost, tlsHost == rule.host)))
42 message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]."