All Policies

Unique Ingress Host

An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest.

Policy Definition

/other/restrict_ingress_host/restrict_ingress_host.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: unique-ingress-host
 5  annotations:
 6    policies.kyverno.io/title: Unique Ingress Host
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/minversion: 1.3.2
11    policies.kyverno.io/description: >-
12      An Ingress host is a URL at which services may be made available externally. In most cases,
13      these hosts should be unique across the cluster to ensure no routing conflicts occur.
14      This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster.
15      It also ensures that only a single host may be specified in a given manifest.      
16spec:
17  validationFailureAction: audit
18  background: false
19  rules:
20    - name: check-single-host
21      match:
22        resources:
23          kinds:
24            - Ingress
25      context:
26        - name: hosts
27          apiCall:
28            urlPath: "/apis/networking.k8s.io/v1/ingresses"
29            jmesPath: "items[].spec.rules[].host"
30      preconditions:
31        all:
32        - key: "{{ request.operation }}"
33          operator: Equals
34          value: CREATE
35        - key: "{{ request.object.spec.rules[].host }}"
36          operator: In
37          value: "{{ hosts }}"
38      validate:
39        message: "The Ingress host name must be unique."
40        deny: {}
41    - name: deny-multiple-hosts
42      match:
43        resources:
44          kinds:
45            - Ingress
46      preconditions:
47        all:
48        - key: "{{ request.operation }}"
49          operator: Equals
50          value: CREATE
51        - key: "{{ request.object.spec.rules[].host | length(@)}}"
52          operator: GreaterThan
53          value: 1
54      validate:
55        message: "An Ingress resource may only contain a single host entry."
56        deny: {}