All Policies

Ingress Host Match TLS

Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts.

Policy Definition

/other/ingress-host-match-tls/ingress-host-match-tls.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: ingress-host-match-tls
 5  annotations:
 6    policies.kyverno.io/title: Ingress Host Match TLS
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.20, 1.21"
12    policies.kyverno.io/subject: Ingress
13    policies.kyverno.io/description: >-
14      Ingress resources which name a host name that is not present
15      in the TLS section can produce ingress routing failures as a TLS
16      certificate may not correspond to the destination host. This policy
17      ensures that the host name in an Ingress rule is also found
18      in the list of TLS hosts.
19spec:
20  background: false
21  validationFailureAction: Audit
22  rules:
23  - name: host-match-tls
24    match:
25      any:
26      - resources:
27          kinds:
28          - Ingress
29    preconditions:
30      all:
31      - key: "{{request.operation || 'BACKGROUND'}}"
32        operator: AnyIn
33        value:
34        - CREATE
35        - UPDATE
36    validate:
37      message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]."
38      deny:
39        conditions:
40          all:
41          - key: "{{ (request.object.spec.rules[].host || `[]`) | sort(@) }}"
42            operator: AnyNotIn
43            value: "{{ (request.object.spec.tls[].hosts[] || `[]`) | sort(@) }}"