All Policies
Require Ingress HTTPS in CEL expressions
Ingress resources should only allow secure traffic by disabling HTTP and therefore only allowing HTTPS. This policy requires that all Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to `"false"` and specify TLS in the spec.
Policy Definition
/other-cel/require-ingress-https/require-ingress-https.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: require-ingress-https
5 annotations:
6 policies.kyverno.io/title: Require Ingress HTTPS in CEL expressions
7 policies.kyverno.io/category: Other in CEL
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.11.0
10 kyverno.io/kubernetes-version: "1.26-1.27"
11 policies.kyverno.io/subject: Ingress
12 policies.kyverno.io/description: >-
13 Ingress resources should only allow secure traffic by disabling
14 HTTP and therefore only allowing HTTPS. This policy requires that all
15 Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to
16 `"false"` and specify TLS in the spec.
17spec:
18 background: true
19 validationFailureAction: Audit
20 rules:
21 - name: has-annotation
22 match:
23 any:
24 - resources:
25 kinds:
26 - Ingress
27 operations:
28 - CREATE
29 - UPDATE
30 validate:
31 cel:
32 expressions:
33 - expression: >-
34 object.metadata.?annotations[?'kubernetes.io/ingress.allow-http'].orValue('default') == 'false'
35 message: "The kubernetes.io/ingress.allow-http annotation must be set to false."
36 - name: has-tls
37 match:
38 any:
39 - resources:
40 kinds:
41 - Ingress
42 operations:
43 - CREATE
44 - UPDATE
45 validate:
46 cel:
47 expressions:
48 - expression: "has(object.spec.tls)"
49 message: "TLS must be defined."