All Policies

Restrict Ingress Host with Wildcards in CEL expressions

Ingress hosts optionally accept a wildcard as an alternative to precise matching. In some cases, this may be too permissive as it would direct unintended traffic to the given Ingress resource. This policy enforces that any Ingress host does not contain a wildcard character.

Policy Definition

/other-cel/restrict-ingress-wildcard/restrict-ingress-wildcard.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-ingress-wildcard
 5  annotations:
 6    policies.kyverno.io/title: Restrict Ingress Host with Wildcards in CEL expressions
 7    policies.kyverno.io/category: Other in CEL 
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: Ingress
13    policies.kyverno.io/description: >-
14      Ingress hosts optionally accept a wildcard as an alternative
15      to precise matching. In some cases, this may be too permissive as it
16      would direct unintended traffic to the given Ingress resource. This
17      policy enforces that any Ingress host does not contain a wildcard
18      character.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23    - name: block-ingress-wildcard
24      match:
25        any:
26        - resources:
27            kinds:
28              - Ingress
29            operations:
30            - CREATE
31            - UPDATE
32      validate:
33        cel:
34          expressions:
35            - expression: "!object.spec.?rules.orValue([]).exists(rule, has(rule.host) && rule.host.contains('*'))"
36              message: "Wildcards are not permitted as hosts."