Back to Policies

Unique Ingress Host

An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: unique-ingress-host
  annotations:
    policies.kyverno.io/title: Unique Ingress Host
    policies.kyverno.io/category: Sample
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Ingress
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/description: "An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest.      "
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: check-single-host-create
      match:
        any:
          - resources:
              kinds:
                - Ingress
      context:
        - name: hosts
          apiCall:
            urlPath: /apis/networking.k8s.io/v1/ingresses
            jmesPath: items[].spec.rules[].host
      preconditions:
        all:
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: Equals
            value: CREATE
      validate:
        message: The Ingress host name must be unique.
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.rules[].host }}"
                operator: AnyIn
                value: "{{ hosts }}"
    - name: check-single-host-update
      match:
        any:
          - resources:
              kinds:
                - Ingress
      preconditions:
        all:
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: Equals
            value: UPDATE
      context:
        - name: allhosts
          apiCall:
            urlPath: /apis/networking.k8s.io/v1/ingresses
            jmesPath: items[?metadata.uid!='{{ request.object.metadata.uid }}'].spec.rules[].host
      validate:
        message: The Ingress host name must be unique.
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.rules[].host }}"
                operator: AnyIn
                value: "{{ allhosts }}"
    - name: deny-multiple-hosts
      match:
        any:
          - resources:
              kinds:
                - Ingress
      preconditions:
        all:
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: AnyIn
            value:
              - CREATE
              - UPDATE
          - key: "{{ request.object.spec.rules[].host | length(@)}}"
            operator: GreaterThan
            value: 1
      validate:
        message: An Ingress resource may only contain a single host entry.
        deny: {}

Related Policies

ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project in CEL expressions

This policy prevents updates to the project field after an Application is created.

Application
ValidateMedium

Ensure ApplicationSet Name Matches Project in CEL expressions

This policy ensures that the name of the ApplicationSet is the same value provided in the project.

ApplicationSet