Similar to the ability to check the uniqueness of hosts and paths independently, it is possible to check for uniqueness of them both together across a cluster. This policy ensures that no Ingress can be created or updated unless it is globally unique with respect to host plus path combination.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: unique-ingress-host-and-pathannotations:policies.kyverno.io/title: Unique Ingress Host and Pathpolicies.kyverno.io/category: Samplepolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Ingresskyverno.io/kyverno-version: 1.7.0policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: Similar to the ability to check the uniqueness of hosts and paths independently, it is possible to check for uniqueness of them both together across a cluster. This policy ensures that no Ingress can be created or updated unless it is globally unique with respect to host plus path combination.spec:validationFailureAction: Auditbackground: falserules:- name: check-host-path-combomatch:any:- resources:kinds:- Ingresspreconditions:all:- key: "{{ request.operation || 'BACKGROUND' }}"operator: NotEqualsvalue: DELETEcontext:- name: rulesapiCall:urlPath: /apis/networking.k8s.io/v1/ingressesjmesPath: items[].spec.rules[]validate:message: The Ingress host and path combination must be unique across the cluster.foreach:- list: request.object.spec.rules[]deny:conditions:all:- key: "{{ element.http.paths[].path }}"operator: AnyInvalue: "{{ rules[?host=='{{element.host}}'][].http.paths[].path }}"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.