Back to Policies

Unique Ingress Host

An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: unique-ingress-host
  annotations:
    policies.kyverno.io/title: Unique Ingress Host
    policies.kyverno.io/category: Sample
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Ingress
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/description: "An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest.      "
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: check-single-host-create
      match:
        any:
          - resources:
              kinds:
                - Ingress
      context:
        - name: hosts
          apiCall:
            urlPath: /apis/networking.k8s.io/v1/ingresses
            jmesPath: items[].spec.rules[].host
      preconditions:
        all:
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: Equals
            value: CREATE
      validate:
        message: The Ingress host name must be unique.
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.rules[].host }}"
                operator: AnyIn
                value: "{{ hosts }}"
    - name: check-single-host-update
      match:
        any:
          - resources:
              kinds:
                - Ingress
      preconditions:
        all:
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: Equals
            value: UPDATE
      context:
        - name: allhosts
          apiCall:
            urlPath: /apis/networking.k8s.io/v1/ingresses
            jmesPath: items[?metadata.uid!='{{ request.object.metadata.uid }}'].spec.rules[].host
      validate:
        message: The Ingress host name must be unique.
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.rules[].host }}"
                operator: AnyIn
                value: "{{ allhosts }}"
    - name: deny-multiple-hosts
      match:
        any:
          - resources:
              kinds:
                - Ingress
      preconditions:
        all:
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: AnyIn
            value:
              - CREATE
              - UPDATE
          - key: "{{ request.object.spec.rules[].host | length(@)}}"
            operator: GreaterThan
            value: 1
      validate:
        message: An Ingress resource may only contain a single host entry.
        deny: {}

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application