All Policies

Unique Ingress Host

An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster. It also ensures that only a single host may be specified in a given manifest.

Policy Definition

/other/restrict_ingress_host/restrict_ingress_host.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: unique-ingress-host
 5  annotations:
 6    policies.kyverno.io/title: Unique Ingress Host
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/description: >-
12      An Ingress host is a URL at which services may be made available externally. In most cases,
13      these hosts should be unique across the cluster to ensure no routing conflicts occur.
14      This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster.
15      It also ensures that only a single host may be specified in a given manifest.            
16spec:
17  validationFailureAction: audit
18  background: false
19  rules:
20    - name: check-single-host
21      match:
22        any:
23        - resources:
24            kinds:
25              - Ingress
26      context:
27        - name: hosts
28          apiCall:
29            urlPath: "/apis/networking.k8s.io/v1/ingresses"
30            jmesPath: "items[].spec.rules[].host"
31      preconditions:
32        all:
33        - key: "{{ request.operation || 'BACKGROUND' }}"
34          operator: Equals
35          value: CREATE
36        - key: "{{ request.object.spec.rules[].host }}"
37          operator: AnyIn
38          value: "{{ hosts }}"
39      validate:
40        message: "The Ingress host name must be unique."
41        deny: {}
42    - name: deny-multiple-hosts
43      match:
44        any:
45        - resources:
46            kinds:
47              - Ingress
48      preconditions:
49        all:
50        - key: "{{ request.operation || 'BACKGROUND' }}"
51          operator: Equals
52          value: CREATE
53        - key: "{{ request.object.spec.rules[].host | length(@)}}"
54          operator: GreaterThan
55          value: 1
56      validate:
57        message: "An Ingress resource may only contain a single host entry."
58        deny: {}