All Policies
Unique Ingress Host
An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest.
Policy Definition
/other/restrict_ingress_host/restrict_ingress_host.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: unique-ingress-host
5 annotations:
6 policies.kyverno.io/title: Unique Ingress Host
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Ingress
10 policies.kyverno.io/minversion: 1.3.2
11 policies.kyverno.io/description: >-
12 An Ingress host is a URL at which services may be made available externally. In most cases,
13 these hosts should be unique across the cluster to ensure no routing conflicts occur.
14 This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster.
15 It also ensures that only a single host may be specified in a given manifest.
16spec:
17 validationFailureAction: audit
18 background: false
19 rules:
20 - name: check-single-host
21 match:
22 resources:
23 kinds:
24 - Ingress
25 context:
26 - name: hosts
27 apiCall:
28 urlPath: "/apis/networking.k8s.io/v1/ingresses"
29 jmesPath: "items[].spec.rules[].host"
30 preconditions:
31 all:
32 - key: "{{ request.operation }}"
33 operator: Equals
34 value: CREATE
35 - key: "{{ request.object.spec.rules[].host }}"
36 operator: In
37 value: "{{ hosts }}"
38 validate:
39 message: "The Ingress host name must be unique."
40 deny: {}
41 - name: deny-multiple-hosts
42 match:
43 resources:
44 kinds:
45 - Ingress
46 preconditions:
47 all:
48 - key: "{{ request.operation }}"
49 operator: Equals
50 value: CREATE
51 - key: "{{ request.object.spec.rules[].host | length(@)}}"
52 operator: GreaterThan
53 value: 1
54 validate:
55 message: "An Ingress resource may only contain a single host entry."
56 deny: {}