All Policies

Unique Ingress Path

Just like the need to ensure uniqueness among Ingress hosts, there is a need to have the paths be unique as well. This policy checks an incoming Ingress to ensure its root path does not conflict with another root path in a different Namespace. It requires that incoming Ingress resources have a single rule with a single path only and assumes the root path is specified explicitly in an existing Ingress rule (ex., when blocking /foo/bar /foo must exist by itself and not part of /foo/baz).

Policy Definition

/other/unique-ingress-paths.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: unique-ingress-path
 5  annotations:
 6    policies.kyverno.io/title: Unique Ingress Path
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/minversion: 1.3.6
11    policies.kyverno.io/description: >-
12      Just like the need to ensure uniqueness among Ingress hosts, there is a need to have the paths
13      be unique as well. This policy checks an incoming Ingress to ensure its root path does not conflict with another
14      root path in a different Namespace. It requires that incoming Ingress resources have a single
15      rule with a single path only and assumes the root path is specified explicitly in an
16      existing Ingress rule (ex., when blocking /foo/bar /foo must exist by itself and not part of
17      /foo/baz).      
18spec:
19  validationFailureAction: audit
20  background: false
21  rules:
22    - name: check-path
23      match:
24        resources:
25          kinds:
26            - Ingress
27      context:
28        # Looks up the Ingress paths across the whole cluster.
29        - name: allpaths
30          apiCall:
31            urlPath: "/apis/networking.k8s.io/v1/ingresses"
32            jmesPath: "items[].spec.rules[].http.paths[].path"
33        # Looks up the Ingress paths in the same Namespace where the incoming request is targeted.
34        - name: nspath
35          apiCall:
36            urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.object.metadata.namespace}}/ingresses"
37            jmesPath: "items[].spec.rules[].http.paths[].path"
38      preconditions:
39        - key: "{{request.operation}}"
40          operator: Equals
41          value: "CREATE"
42      validate:
43        message: >-
44          The root path /{{request.object.spec.rules[].http.paths[].path | to_string(@) | split(@, '/') | [1]}}/ exists
45          in another Ingress rule elsewhere in the cluster.          
46        deny:
47          conditions:
48            all:
49              # Deny if the root path of the request exists somewhere else in the cluster other than the same Namespace.
50              - key: /{{request.object.spec.rules[].http.paths[].path | to_string(@) | split(@, '/') | [1]}}/
51                operator: In
52                value: "{{allpaths}}"
53              - key: /{{request.object.spec.rules[].http.paths[].path | to_string(@) | split(@, '/') | [1]}}/
54                operator: NotIn
55                value: "{{nspath}}"
56
Create policy issue