Ingress Host Match TLS

Ingress resources which name a host name that is not present in the TLS section can produce ingress routing failures as a TLS certificate may not correspond to the destination host. This policy ensures that the host name in an Ingress rule is also found in the list of TLS hosts.

Policy Definition

/other/ingress_host_match_tls/ingress-host-match-tls.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: ingress-host-match-tls
 5  annotations:
 6    policies.kyverno.io/title: Ingress Host Match TLS
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.20, 1.21"
12    policies.kyverno.io/subject: Ingress
13    policies.kyverno.io/description: >-
14      Ingress resources which name a host name that is not present
15      in the TLS section can produce ingress routing failures as a TLS
16      certificate may not correspond to the destination host. This policy
17      ensures that the host name in an Ingress rule is also found
18      in the list of TLS hosts.      
19spec:
20  background: false
21  validationFailureAction: audit
22  rules:
23  - name: host-match-tls
24    match:
25      any:
26      - resources:
27          kinds:
28          - Ingress
29    preconditions:
30      all:
31      - key: "{{request.operation || 'BACKGROUND'}}"
32        operator: Equals
33        value: CREATE
34    validate:
35      message: "The host(s) in spec.rules[].host must match those in spec.tls[].hosts[]."
36      deny:
37        conditions:
38          all:
39          - key: "{{ (request.object.spec.rules[].host || `[]`) | sort(@) }}"
40            operator: AllNotIn
41            value: "{{ (request.object.spec.tls[].hosts[] || `[]`) | sort(@) }}"

Create policy issue