All Policies

Require Ingress HTTPS in CEL expressions

Ingress resources should only allow secure traffic by disabling HTTP and therefore only allowing HTTPS. This policy requires that all Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to `"false"` and specify TLS in the spec.

Policy Definition

/other-cel/require-ingress-https/require-ingress-https.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-ingress-https
 5  annotations:
 6    policies.kyverno.io/title: Require Ingress HTTPS in CEL expressions
 7    policies.kyverno.io/category: Other in CEL 
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.0
10    kyverno.io/kubernetes-version: "1.26-1.27"
11    policies.kyverno.io/subject: Ingress
12    policies.kyverno.io/description: >-
13      Ingress resources should only allow secure traffic by disabling
14      HTTP and therefore only allowing HTTPS. This policy requires that all
15      Ingress resources set the annotation `kubernetes.io/ingress.allow-http` to
16      `"false"` and specify TLS in the spec.
17spec:
18  background: true
19  validationFailureAction: Audit
20  rules:
21  - name: has-annotation
22    match:
23      any:
24      - resources:
25          kinds:
26          - Ingress
27          operations:
28          - CREATE
29          - UPDATE
30    validate:
31      cel:
32        expressions:
33          - expression: >-
34              object.metadata.?annotations[?'kubernetes.io/ingress.allow-http'].orValue('default') == 'false'
35            message: "The kubernetes.io/ingress.allow-http annotation must be set to false."
36  - name: has-tls
37    match:
38      any:
39      - resources:
40          kinds:
41          - Ingress
42          operations:
43          - CREATE
44          - UPDATE
45    validate:
46      cel:
47        expressions:
48          - expression: "has(object.spec.tls)"
49            message: "TLS must be defined."