set original disallow-empty-ingress-host to Audit

Signed-off-by: Chandan-DK <[email protected]>
kyverno · Mar 9, 2024 · 06231b4 · 06231b4
1 parent cc5a3da
commit 06231b4
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 11 deletions.
diff --git a/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml b/best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml
@@ -3,17 +3,18 @@ kind: ClusterPolicy
 metadata:
   name: disallow-empty-ingress-host
   annotations:
-    policies.kyverno.io/title: Disallow empty Ingress host
-    policies.kyverno.io/category: Best Practices
-    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/title: Disallow empty Ingress host in CEL expressions
+    policies.kyverno.io/category: Best Practices in CEL 
+    policies.kyverno.io/minversion: 1.11.0
+    kyverno.io/kubernetes-version: "1.26-1.27"
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Ingress
     policies.kyverno.io/description: >-
       An ingress resource needs to define an actual host name
       in order to be valid. This policy ensures that there is a
       hostname for each rule defined.
 spec:
-  validationFailureAction: enforce
+  validationFailureAction: Enforce
   background: false
   rules:
     - name: disallow-empty-ingress-host
@@ -23,10 +24,10 @@ spec:
             kinds:
               - Ingress
       validate:
-        message: "The Ingress host name must be defined, not empty."
-        deny:
-          conditions:
-            all:
-            - key: "{{ request.object.spec.rules[].host || `[]` | length(@) }}"
-              operator: NotEquals
-              value: "{{ request.object.spec.rules[].http || `[]` | length(@) }}"
+        cel:
+          expressions:
+            - expression: >-
+                !has(object.spec.rules) || 
+                object.spec.rules.all(rule, has(rule.host) && has(rule.http))
+              message: "The Ingress host name must be defined, not empty."
+        
diff --git a/best-practices/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml b/best-practices/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml
@@ -10,6 +10,14 @@ spec:
     try:
     - apply:
         file: ../disallow-empty-ingress-host.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: disallow-empty-ingress-host
+          spec:
+            validationFailureAction: Enforce
     - assert:
         file: policy-ready.yaml
   - name: step-02