All Policies
Ensure Valid Ingress NGINX Controller and Annotations
This policy ensures that Ingress resources do not have certain disallowed annotations and that the ingress-nginx controller Pod is running an appropriate version of the image. It checks for the presence of the `nginx.ingress.kubernetes.io/server-snippet` annotation and disallows its usage, enforces specific values for `auth-tls-verify-client`, and ensures that the ingress-nginx controller image is of the required version.
Policy Definition
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: check-ingress-nginx-controller-version-and-annotation-policy
5 annotations:
6 policies.kyverno.io/title: Ensure Valid Ingress NGINX Controller and Annotations
7 policies.kyverno.io/category: Ingress, Security
8 policies.kyverno.io/severity: high
9 kyverno.io/kyverno-version: 1.11.0
10 policies.kyverno.io/minversion: 1.9.0
11 kyverno.io/kubernetes-version: "1.28"
12 policies.kyverno.io/subject: Ingress, Pod
13 policies.kyverno.io/description: >-
14 This policy ensures that Ingress resources do not have certain disallowed annotations and that the ingress-nginx
15 controller Pod is running an appropriate version of the image. It checks for the presence of the
16 `nginx.ingress.kubernetes.io/server-snippet` annotation and disallows its usage, enforces specific values
17 for `auth-tls-verify-client`, and ensures that the ingress-nginx controller image is of the required version.
18spec:
19 validationFailureAction: Audit
20 background: true
21 rules:
22 - name: validate-ingress-annotations
23 match:
24 resources:
25 kinds:
26 - Ingress
27 validate:
28 message: "The annotation nginx.ingress.kubernetes.io/server-snippet is not allowed."
29 pattern:
30 metadata:
31 annotations:
32 X(nginx.ingress.kubernetes.io/server-snippet): ""
33 - name: validate-auth-tls-verify-client
34 match:
35 resources:
36 kinds:
37 - Ingress
38 validate:
39 message: "auth-tls-verify-client annotation must be 'on', 'off', 'optional', or 'optional_no_ca'."
40 deny:
41 conditions:
42 any:
43 - key: "{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/auth-tls-verify-client\"}}"
44 operator: AnyNotIn
45 value:
46 - "on"
47 - "off"
48 - "optional"
49 - "optional_no_ca"
50 - name: ensure-ingress-nginx-controller-version-pattern
51 match:
52 resources:
53 kinds:
54 - Pod
55 validate:
56 message: "The ingress-nginx controller image version must start with v1.11."
57 pattern:
58 spec:
59 containers:
60 - name: controller
61 image: "registry.k8s.io/ingress-nginx/controller:v1.11.*"
62
63 - name: deny-lower-ingress-nginx-controller-versions
64 match:
65 resources:
66 kinds:
67 - Pod
68 validate:
69 message: "The ingress-nginx controller image version must be v1.11.2 or greater."
70 deny:
71 conditions:
72 - key: "{{ request.object.spec.containers[?(@.name=='controller')].image }}"
73 operator: AnyIn
74 value:
75 - "registry.k8s.io/ingress-nginx/controller:v1.11.0"
76 - "registry.k8s.io/ingress-nginx/controller:v1.11.1"
77 - "registry.k8s.io/ingress-nginx/controller:v1.10.*"
78 - "registry.k8s.io/ingress-nginx/controller:v1.9.*"
79 - "registry.k8s.io/ingress-nginx/controller:v1.8.*"
80 - "registry.k8s.io/ingress-nginx/controller:v1.7.*"
81 - "registry.k8s.io/ingress-nginx/controller:v1.6.*"
82 - "registry.k8s.io/ingress-nginx/controller:v1.5.*"
83 - "registry.k8s.io/ingress-nginx/controller:v1.4.*"
84 - "registry.k8s.io/ingress-nginx/controller:v1.3.*"
85 - "registry.k8s.io/ingress-nginx/controller:v1.2.*"
86 - "registry.k8s.io/ingress-nginx/controller:v1.1.*"
87 - "registry.k8s.io/ingress-nginx/controller:v1.0.*"