Restrict Ingress defaultBackend in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-ingress-defaultbackend
 5  annotations:
 6    policies.kyverno.io/title: Restrict Ingress defaultBackend in CEL expressions
 7    policies.kyverno.io/category: Best Practices in CEL 
 8    policies.kyverno.io/severity: high
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: Ingress
13    policies.kyverno.io/description: >-
14      An Ingress with no rules sends all traffic to a single default backend. The defaultBackend
15      is conventionally a configuration option of the Ingress controller and is not specified in
16      your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress
17      objects, the traffic is routed to your default backend. In a multi-tenant environment, you
18      want users to use explicit hosts, they should not be able to overwrite the global default backend
19      service. This policy prohibits the use of the defaultBackend field.
20spec:
21  validationFailureAction: Audit
22  background: true
23  rules:
24  - name: restrict-ingress-defaultbackend
25    match:
26      any:
27      - resources:
28          kinds:
29          - Ingress
30          operations:
31          - CREATE
32          - UPDATE
33    validate:
34      cel:
35        expressions:
36          - expression: "!has(object.spec.defaultBackend)"
37      message: Setting the defaultBackend field is prohibited.