All Policies
Ingress Host Match TLS
Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts.
Policy Definition
/other/ingress-host-match-tls/ingress-host-match-tls.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: ingress-host-match-tls
5 annotations:
6 policies.kyverno.io/title: Ingress Host Match TLS
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.6.0
10 policies.kyverno.io/minversion: 1.6.0
11 kyverno.io/kubernetes-version: "1.20, 1.21"
12 policies.kyverno.io/subject: Ingress
13 policies.kyverno.io/description: >-
14 Ingress resources which name a host name that is not present
15 in the TLS section can produce ingress routing failures as a TLS
16 certificate may not correspond to the destination host. This policy
17 ensures that the host name in an Ingress rule is also found
18 in the list of TLS hosts.
19spec:
20 background: false
21 validationFailureAction: Audit
22 rules:
23 - name: host-match-tls
24 match:
25 any:
26 - resources:
27 kinds:
28 - Ingress
29 preconditions:
30 all:
31 - key: "{{request.operation || 'BACKGROUND'}}"
32 operator: AnyIn
33 value:
34 - CREATE
35 - UPDATE
36 validate:
37 message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]."
38 deny:
39 conditions:
40 all:
41 - key: "{{ (request.object.spec.rules[].host || `[]`) | sort(@) }}"
42 operator: AnyNotIn
43 value: "{{ (request.object.spec.tls[].hosts[] || `[]`) | sort(@) }}"