All Policies
Restrict Ingress Host with Wildcards in CEL expressions
Ingress hosts optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given Ingress resource. This policy enforces that any Ingress host does not contain a wildcard character.
Policy Definition
/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-ingress-wildcard
5 annotations:
6 policies.kyverno.io/title: Restrict Ingress Host with Wildcards in CEL expressions
7 policies.kyverno.io/category: Other in CEL
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.11.0
10 policies.kyverno.io/minversion: 1.11.0
11 kyverno.io/kubernetes-version: "1.26-1.27"
12 policies.kyverno.io/subject: Ingress
13 policies.kyverno.io/description: >-
14 Ingress hosts optionally accept a wildcard as an alternative
15 to precise matching. In some cases, this may be too permissive as it
16 would direct unintended traffic to the given Ingress resource. This
17 policy enforces that any Ingress host does not contain a wildcard
18 character.
19spec:
20 validationFailureAction: Audit
21 background: true
22 rules:
23 - name: block-ingress-wildcard
24 match:
25 any:
26 - resources:
27 kinds:
28 - Ingress
29 operations:
30 - CREATE
31 - UPDATE
32 validate:
33 cel:
34 expressions:
35 - expression: "!object.spec.?rules.orValue([]).exists(rule, has(rule.host) && rule.host.contains('*'))"
36 message: "Wildcards are not permitted as hosts."