Back to Policies

Restrict Ingress defaultBackend

An Ingress with no rules sends all traffic to a single default backend. The defaultBackend is conventionally a configuration option of the Ingress controller and is not specified in your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress objects, the traffic is routed to your default backend. In a multi-tenant environment, you want users to use explicit hosts, they should not be able to overwrite the global default backend service. This policy prohibits the use of the defaultBackend field.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-ingress-defaultbackend
  annotations:
    policies.kyverno.io/title: Restrict Ingress defaultBackend
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/severity: high
    kyverno.io/kyverno-version: 1.6.2
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/subject: Ingress
    policies.kyverno.io/description: An Ingress with no rules sends all traffic to a single default backend. The defaultBackend is conventionally a configuration option of the Ingress controller and is not specified in your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress objects, the traffic is routed to your default backend. In a multi-tenant environment, you want users to use explicit hosts, they should not be able to overwrite the global default backend service. This policy prohibits the use of the defaultBackend field.
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: restrict-ingress-defaultbackend
      match:
        any:
          - resources:
              kinds:
                - Ingress
      validate:
        message: Setting the defaultBackend field is prohibited.
        pattern:
          spec:
            X(defaultBackend): "null"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application