Unique Ingress Host

An Ingress host is a URL at which services may be made available externally. In most cases, these hosts should be unique across the cluster to ensure no routing conflicts occur. This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster.

Policy Definition

/other/restrict_ingress_host.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: unique-ingress-host
 5  annotations:
 6    policies.kyverno.io/title: Unique Ingress Host
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/minversion: 1.3.2
11    policies.kyverno.io/description: >-
12      An Ingress host is a URL at which services may be made available externally. In most cases,
13      these hosts should be unique across the cluster to ensure no routing conflicts occur.
14      This policy checks an incoming Ingress resource to ensure its hosts are unique to the cluster.      
15spec:
16  validationFailureAction: audit
17  background: false
18  rules:
19    - name: check-host
20      match:
21        resources:
22          kinds:
23            - Ingress
24      context:
25        - name: hosts
26          apiCall:
27            urlPath: "/apis/networking.k8s.io/v1/ingresses"
28            jmesPath: "items[].spec.rules[].host"
29      preconditions:
30        all:
31        - key: "{{ request.operation }}"
32          operator: Equals
33          value: CREATE
34        any:
35        - key: "{{ request.object.spec.rules[].host }}"
36          operator: In
37          value: "{{ hosts }}"
38        - key: "{{ request.object.spec.rules[].host }}"
39          operator: NotIn
40          value: "{{ hosts }}"
41      validate:
42        message: "The Ingress host name must be unique."
43        deny: {}

Create policy issue