Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Policy Center/ Policy Definition Library/ k8sblockwildcardingress
Updated on 2024-06-17 GMT+08:00
View PDF
Share

k8sblockwildcardingress

Basic Information

  • Policy type: compliance
  • Recommended level: L1
  • Effective resource type: Ingress
  • Parameter: None

Function

Do not configure a blank or wildcard host name for the Ingress.

Policy Example

The following example shows the effective type of the policy definition.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockWildcardIngress
metadata:
  name: block-wildcard-ingress
spec:
  match:
    kinds:
      - apiGroups: ["extensions", "networking.k8s.io"]
        kinds: ["Ingress"]

Resource Definition That Complies with the Policy

The host name configured for the Ingress is not blank or wildcard, which complies with the policy instance.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: non-wildcard-ingress
spec:
  rules:
  - host: 'myservice.example.com'
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: example
            port:
              number: 80

Resource Definition That Does Not Comply with the Policy

The host name configured for the Ingress is blank, which does not comply with the policy instance.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - host: ''
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: example
            port:
              number: 80
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  # Omitted host field counts as a wildcard too
  - http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: example
            port:
              number: 80

The host name configured for the Ingress contains a wildcard (*), which does not comply with the policy instance.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
spec:
  rules:
  - host: '*.example.com'
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: example
            port:
              number: 80