All Policies
Restrict Ingress Classes in CEL expressions
Ingress classes should only be allowed which match up to deployed Ingress controllers in the cluster. Allowing users to define classes which cannot be satisfied by a deployed Ingress controller can result in either no or undesired functionality. This policy checks Ingress resources and only allows those which define `HAProxy` or `nginx` in the respective annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass resource.
Policy Definition
/other-cel/restrict-ingress-classes/restrict-ingress-classes.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-ingress-classes
5 annotations:
6 policies.kyverno.io/title: Restrict Ingress Classes in CEL expressions
7 policies.kyverno.io/category: Sample in CEL
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Ingress
10 policies.kyverno.io/minversion: 1.11.0
11 kyverno.io/kubernetes-version: "1.26-1.27"
12 policies.kyverno.io/description: >-
13 Ingress classes should only be allowed which match up to deployed Ingress controllers
14 in the cluster. Allowing users to define classes which cannot be satisfied by a deployed
15 Ingress controller can result in either no or undesired functionality. This policy checks
16 Ingress resources and only allows those which define `HAProxy` or `nginx` in the respective
17 annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass
18 resource.
19spec:
20 validationFailureAction: Audit
21 background: true
22 rules:
23 - name: validate-ingress
24 match:
25 any:
26 - resources:
27 kinds:
28 - Ingress
29 operations:
30 - CREATE
31 - UPDATE
32 validate:
33 cel:
34 expressions:
35 - expression: >-
36 object.metadata.?annotations[?'kubernetes.io/ingress.class'].orValue('') in ['HAProxy', 'nginx']
37 message: "Unknown ingress class."