Back to Policies

Require Unique External DNS Services

ExternalDNS, part of Kubernetes SIGs, triggers the creation of external DNS records in supported providers when the annotation`external-dns.alpha.kubernetes.io/hostname` is present. Like with internal DNS, duplicates must be avoided. This policy requires every such Service have a cluster-unique hostname present in the value of the annotation.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: unique-external-dns
  annotations:
    policies.kyverno.io/title: Require Unique External DNS Services
    policies.kyverno.io/category: Other
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Service
    kyverno.io/kyverno-version: 1.5.1
    kyverno.io/kubernetes-version: "1.21"
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/description: ExternalDNS, part of Kubernetes SIGs, triggers the creation of external DNS records in supported providers when the annotation`external-dns.alpha.kubernetes.io/hostname` is present. Like with internal DNS, duplicates must be avoided. This policy requires every such Service have a cluster-unique hostname present in the value of the annotation.
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: ensure-valid-externaldns-annotation
      match:
        any:
          - resources:
              kinds:
                - Service
              annotations:
                external-dns.alpha.kubernetes.io/hostname: "*"
      context:
        - name: alldns
          apiCall:
            urlPath: /api/v1/services
            jmesPath: items[?[metadata.namespace, metadata.name] != ['{{request.object.metadata.namespace}}', '{{request.object.metadata.name}}']].metadata.annotations."external-dns.alpha.kubernetes.io/hostname"
      preconditions:
        all:
          - key: "{{ request.operation || 'BACKGROUND' }}"
            operator: AnyIn
            value:
              - CREATE
              - UPDATE
      validate:
        message: External DNS entry "{{request.object.metadata.annotations."external-dns.alpha.kubernetes.io/hostname"}}" is already taken by another service in the cluster.
        deny:
          conditions:
            all:
              - key: "{{request.object.metadata.annotations.\"external-dns.alpha.kubernetes.io/hostname\"}}"
                operator: AnyIn
                value: "{{alldns}}"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application