All Policies

Unique Ingress Path

Just like the need to ensure uniqueness among Ingress hosts, there is a need to have the paths be unique as well. This policy checks an incoming Ingress to ensure its root path does not conflict with another root path in a different Namespace. It requires that incoming Ingress resources have a single rule with a single path only and assumes the root path is specified explicitly in an existing Ingress rule (ex., when blocking /foo/bar /foo must exist by itself and not part of /foo/baz).

Policy Definition

/other/unique-ingress-paths/unique-ingress-paths.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: unique-ingress-path
 5  annotations:
 6    policies.kyverno.io/title: Unique Ingress Path
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/description: >-
12      Just like the need to ensure uniqueness among Ingress hosts, there is a need to have the paths
13      be unique as well. This policy checks an incoming Ingress to ensure its root path does not conflict with another
14      root path in a different Namespace. It requires that incoming Ingress resources have a single
15      rule with a single path only and assumes the root path is specified explicitly in an
16      existing Ingress rule (ex., when blocking /foo/bar /foo must exist by itself and not part of
17      /foo/baz).
18spec:
19  validationFailureAction: Audit
20  background: false
21  rules:
22    - name: check-path
23      match:
24        any:
25        - resources:
26            kinds:
27              - Ingress
28      context:
29        # Looks up the Ingress paths across the whole cluster.
30        - name: allpaths
31          apiCall:
32            urlPath: "/apis/networking.k8s.io/v1/ingresses"
33            jmesPath: "items[].spec.rules[].http.paths[].path"
34        # Looks up the Ingress paths in the same Namespace where the incoming request is targeted.
35        - name: nspath
36          apiCall:
37            urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.object.metadata.namespace}}/ingresses"
38            jmesPath: "items[].spec.rules[].http.paths[].path"
39      preconditions:
40        any:
41        - key: "{{request.operation || 'BACKGROUND'}}"
42          operator: AnyIn
43          value:
44          - CREATE
45          - UPDATE
46      validate:
47        message: >-
48          The root path /{{request.object.spec.rules[].http.paths[].path | [0] | to_string(@) | split(@, '/') | [1]}} exists
49          in another Ingress rule elsewhere in the cluster.
50        deny:
51          conditions:
52            all:
53              # Deny if the root path of the request exists somewhere else in the cluster other than the same Namespace.
54              - key: /{{request.object.spec.rules[].http.paths[].path | [0] | to_string(@) | split(@, '/') | [1]}}
55                operator: AnyIn
56                value: "{{allpaths}}"
57              - key: /{{request.object.spec.rules[].http.paths[].path | [0] | to_string(@) | split(@, '/') | [1]}}
58                operator: AnyNotIn
59                value: "{{nspath}}"
Create policy issue