All Policies
Restrict Ingress defaultBackend
An Ingress with no rules sends all traffic to a single default backend. The defaultBackend is conventionally a configuration option of the Ingress controller and is not specified in your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress objects, the traffic is routed to your default backend. In a multi-tenant environment, you want users to use explicit hosts, they should not be able to overwrite the global default backend service. This policy prohibits the use of the defaultBackend field.
Policy Definition
/other/restrict-ingress-defaultbackend/restrict-ingress-defaultbackend.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-ingress-defaultbackend
5 annotations:
6 policies.kyverno.io/title: Restrict Ingress defaultBackend
7 policies.kyverno.io/category: Best Practices
8 policies.kyverno.io/severity: high
9 kyverno.io/kyverno-version: 1.6.2
10 policies.kyverno.io/minversion: 1.6.0
11 kyverno.io/kubernetes-version: "1.23"
12 policies.kyverno.io/subject: Ingress
13 policies.kyverno.io/description: >-
14 An Ingress with no rules sends all traffic to a single default backend. The defaultBackend
15 is conventionally a configuration option of the Ingress controller and is not specified in
16 your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress
17 objects, the traffic is routed to your default backend. In a multi-tenant environment, you
18 want users to use explicit hosts, they should not be able to overwrite the global default backend
19 service. This policy prohibits the use of the defaultBackend field.
20spec:
21 validationFailureAction: Audit
22 background: true
23 rules:
24 - name: restrict-ingress-defaultbackend
25 match:
26 any:
27 - resources:
28 kinds:
29 - Ingress
30 validate:
31 message: Setting the defaultBackend field is prohibited.
32 pattern:
33 spec:
34 X(defaultBackend): "null"