All Policies
Unique Ingress Host
An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest.
Policy Definition
/other/restrict_ingress_host/restrict_ingress_host.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: unique-ingress-host
5 annotations:
6 policies.kyverno.io/title: Unique Ingress Host
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Ingress
10 policies.kyverno.io/minversion: 1.6.0
11 policies.kyverno.io/description: >-
12 An Ingress host is a URL at which services may be made available externally. In most cases,
13 these hosts should be unique across the cluster to ensure no routing conflicts occur.
14 This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster.
15 It also ensures that only a single host may be specified in a given manifest.
16spec:
17 validationFailureAction: audit
18 background: false
19 rules:
20 - name: check-single-host
21 match:
22 any:
23 - resources:
24 kinds:
25 - Ingress
26 context:
27 - name: hosts
28 apiCall:
29 urlPath: "/apis/networking.k8s.io/v1/ingresses"
30 jmesPath: "items[].spec.rules[].host"
31 preconditions:
32 all:
33 - key: "{{ request.operation || 'BACKGROUND' }}"
34 operator: Equals
35 value: CREATE
36 - key: "{{ request.object.spec.rules[].host }}"
37 operator: AnyIn
38 value: "{{ hosts }}"
39 validate:
40 message: "The Ingress host name must be unique."
41 deny: {}
42 - name: deny-multiple-hosts
43 match:
44 any:
45 - resources:
46 kinds:
47 - Ingress
48 preconditions:
49 all:
50 - key: "{{ request.operation || 'BACKGROUND' }}"
51 operator: Equals
52 value: CREATE
53 - key: "{{ request.object.spec.rules[].host | length(@)}}"
54 operator: GreaterThan
55 value: 1
56 validate:
57 message: "An Ingress resource may only contain a single host entry."
58 deny: {}