Comments (9)
chipzoller
commented on June 30, 2024
1
This'll probably do it:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-ingress
spec:
validationFailureAction: Enforce
background: false
rules:
- name: validate-host
match:
any:
- resources:
kinds:
- Ingress
validate:
message: "Hosts must be either *.k8s-prod01.test.internal OR *.example.com"
pattern:
spec:
rules:
- host: "*.k8s-prod01.test.internal | *.example.com"from policies.
chipzoller
commented on June 30, 2024
I'm not understanding from your examples what it is you want to achieve here. Can you explain? Multiple examples also help.
from policies.
RelativeSure
commented on June 30, 2024
I'm not understanding from your examples what it is you want to achieve here. Can you explain? Multiple examples also help.
Sorry, I am not good at explaining things.
We have a customer who has two different domains in one ingress resource.
One of the domains has to have a subdomain with the cluster name and can specify their host under that cluster name subdomain. We need to restrict by having them to use the cluster name as the first subdomain.
The bold text is required with that host.
Example: project-app-nginx.k8s-prod01.test.internal
The other domain is free to use with whatever subdomain. Bold text is required
project-app-nginx.example.com
from policies.
chipzoller
commented on June 30, 2024
Why not use a glob so that all host fields must follow the pattern *.cluster_01.example.com?
from policies.
RelativeSure
commented on June 30, 2024
Sadly that's not possible. It's two different domains with each of them having different requirements. They have to follow these.
k8s-prod01.test.internal
example.com
from policies.
chipzoller
commented on June 30, 2024
Ok, I'm still confused. You're now using different domain examples from what you showed in the initial message. I'm still trying to determine what hosts are "good" and what are "bad". If that's the only deciding factor, perhaps you can give me several examples of good and bad hosts with a short explanation of why.
from policies.
RelativeSure
commented on June 30, 2024
It's just comments about two different domains which has to follow the guideline.
Good:
project-app01.k8s-prod01.test.internal
nginx01.k8s-prod01.test.internal
project-app01.example.com
nginx01.example.com
Bad:
project-app02.test.internal
nginx02.test.internal
from policies.
chipzoller
commented on June 30, 2024
Ok so it looks like a rule should allow hosts to match only *.k8s-prod01.test.internal OR *.example.com. Is that correct?
from policies.
RelativeSure
commented on June 30, 2024
Yes exactly!
I apologize profusely for having a hard time explaining myself and thank you for taking your time understanding.
from policies.
Related Issues (20)
- [Enhancement] Move PSS CEL test resources inside folders HOT 2
- [Sample] policy to check if the metrics server is configured or not HOT 1
- Require imagePullPolicy Always HOT 6
- [Need help] prevent-bare-pod custom to bypass node-shell(nsenter) pod in use node-shell command HOT 3
- [Sample] policy to check if prometheus is configured or not HOT 3
- [Sample] policy to check if the resources of an object are within the upperbound and lowerbound as suggested by vpa recommender HOT 1
- [Enhancement] Improve description of scale deployment to zero policy
- [Chainsaw Tests] Add Chainsaw tests for the sample policies HOT 2
- [Bug] update sample policies to include all container types in a pod
- [Chainsaw tests] Write test for cleanup empty replica sets sample policy HOT 2
- Prepend Image Registry policy should not apply on `UPDATE` for `initContainers` HOT 3
- [Chainsaw Tests] Add Chainsaw tests for the sample policy disallow-proc-mount HOT 2
- Refactoring the chainsaw tests on cert-manager/limit-dnsnames HOT 4
- [Bug] Variable `image` is not accessible in `spec.rules.verifyImages.repository` field
- [Bug] Improve policy other/add-node-affinity/add-node-affinity.yaml
- [Sample] Best Practices for PDBs HOT 5
- Require Unique UID per Workload - Hlem Upgrade Issue HOT 1
- Error from server: error when creating "allowed_container.yaml": admission webhook "validate.kyverno.svc-fail" denied the request: HOT 2
- Add RoleBinding not working for EKS(aws k8s cluster) HOT 7
- Block Stale Images
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from policies.