Filter

Restrict Ingress Classes

Ingress classes should only be allowed which match up to deployed Ingress controllers in the cluster. Allowing users to define classes which cannot be satisfied by a deployed Ingress controller can result in either no or undesired functionality. This policy checks Ingress resources and only allows those which define `HAProxy` or `nginx` in the respective annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass resource.

Policy Definition

/other/restrict_ingress_classes.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-ingress-classes
 5  annotations:
 6    policies.kyverno.io/title: Restrict Ingress Classes
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Ingress
10    policies.kyverno.io/description: >-
11      Ingress classes should only be allowed which match up to deployed Ingress controllers
12      in the cluster. Allowing users to define classes which cannot be satisfied by a deployed
13      Ingress controller can result in either no or undesired functionality. This policy checks
14      Ingress resources and only allows those which define `HAProxy` or `nginx` in the respective
15      annotation. This annotation has largely been replaced as of Kubernetes 1.18 with the IngressClass
16      resource.      
17spec:
18  rules:
19  - name: validate-ingress
20    match:
21      resources:
22        kinds:
23        - Ingress
24    validate:
25      message: "Unknown ingress class."
26      pattern:
27        metadata:
28          annotations:
29            kubernetes.io/ingress.class: "HAProxy | nginx"

Create policy issue