All Policies

Require Unique External DNS Services

ExternalDNS, part of Kubernetes SIGs, triggers the creation of external DNS records in supported providers when the annotation`external-dns.alpha.kubernetes.io/hostname` is present. Like with internal DNS, duplicates must be avoided. This policy requires every such Service have a cluster-unique hostname present in the value of the annotation.

Policy Definition

/other/require-unique-external-dns/require-unique-external-dns.yaml

1apiVersion: kyverno.io/v1 2kind: ClusterPolicy 3metadata: 4 name: unique-external-dns 5 annotations: 6 policies.kyverno.io/title: Require Unique External DNS Services 7 policies.kyverno.io/category: Other 8 policies.kyverno.io/severity: medium 9 policies.kyverno.io/subject: Service 10 kyverno.io/kyverno-version: 1.5.1 11 kyverno.io/kubernetes-version: "1.21" 12 policies.kyverno.io/minversion: 1.6.0 13 policies.kyverno.io/description: >- 14 ExternalDNS, part of Kubernetes SIGs, triggers the creation of external DNS records in supported 15 providers when the annotation`external-dns.alpha.kubernetes.io/hostname` is present. Like with 16 internal DNS, duplicates must be avoided. This policy requires every such Service have a cluster-unique 17 hostname present in the value of the annotation. 18spec: 19 validationFailureAction: Audit 20 background: false 21 rules: 22 - name: ensure-valid-externaldns-annotation 23 match: 24 any: 25 - resources: 26 kinds: 27 - Service 28 annotations: 29 external-dns.alpha.kubernetes.io/hostname: "*" 30 context: 31 # Looks up external DNS entries. 32 - name: alldns 33 apiCall: 34 urlPath: "/api/v1/services" 35 jmesPath: "items[?[metadata.namespace, metadata.name] != ['{{request.object.metadata.namespace}}', '{{request.object.metadata.name}}']].metadata.annotations.\"external-dns.alpha.kubernetes.io/hostname\"" 36 preconditions: 37 all: 38 - key: "{{ request.operation || 'BACKGROUND' }}" 39 operator: AnyIn 40 value: 41 - CREATE 42 - UPDATE 43 validate: 44 message: >- 45 External DNS entry "{{request.object.metadata.annotations."external-dns.alpha.kubernetes.io/hostname"}}" is already 46 taken by another service in the cluster. 47 deny: 48 conditions: 49 all: 50 # Deny if "external-dns.alpha.kubernetes.io/hostname" annotation value is already taken 51 - key: "{{request.object.metadata.annotations.\"external-dns.alpha.kubernetes.io/hostname\"}}" 52 operator: AnyIn 53 value: "{{alldns}}"
yaml