copy disallow-empty-ingress-host

Signed-off-by: Chandan-DK <[email protected]>

best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,33 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: disallow-empty-ingress-host
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: ../disallow-empty-ingress-host.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: good-ingress.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: no-host-ingress.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: no-host-fail-first.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: no-host-success-first.yaml

best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/good-ingress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-wildcard-host
+spec:
+  rules:
+  - host: "foo.bar.com"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/bar"
+        backend:
+          service:
+            name: service1
+            port:
+              number: 80
+  - host: "*.foo.com"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/foo"
+        backend:
+          service:
+            name: service2
+            port:
+              number: 80

best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-fail-first.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-host
+spec:
+  rules:
+  - http:
+      paths:
+      - pathType: Prefix
+        path: "/bar"
+        backend:
+          service:
+            name: service1
+            port:
+              number: 80
+  - host: "bar.foo.com"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/foo"
+        backend:
+          service:
+            name: service2
+            port:
+              number: 80

best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: minimal-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /testpath
+        pathType: Prefix
+        backend:
+          service:
+            name: test
+            port:
+              number: 80

best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/no-host-success-first.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-host
+spec:
+  rules:
+  - host: "bar.foo.com"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/bar"
+        backend:
+          service:
+            name: service1
+            port:
+              number: 80
+  - http:
+      paths:
+      - pathType: Prefix
+        path: "/foo"
+        backend:
+          service:
+            name: service2
+            port:
+              number: 80

best-practices-cel/disallow-empty-ingress-host/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-empty-ingress-host
+status:
+  ready: true

best-practices-cel/disallow-empty-ingress-host/.kyverno-test/kyverno-test.yaml

@@ -0,0 +1,21 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: disallow-empty-ingress-host
+policies:
+- ../disallow-empty-ingress-host.yaml
+resources:
+- resource.yaml
+results:
+- kind: Ingress
+  policy: disallow-empty-ingress-host
+  resources:
+  - minimal-ingress
+  result: fail
+  rule: disallow-empty-ingress-host
+- kind: Ingress
+  policy: disallow-empty-ingress-host
+  resources:
+  - ingress-wildcard-host
+  result: pass
+  rule: disallow-empty-ingress-host

best-practices-cel/disallow-empty-ingress-host/.kyverno-test/resource.yaml

@@ -0,0 +1,44 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-wildcard-host
+spec:
+  rules:
+  - host: "foo.bar.com"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/bar"
+        backend:
+          service:
+            name: service1
+            port:
+              number: 80
+  - host: "*.foo.com"
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/foo"
+        backend:
+          service:
+            name: service2
+            port:
+              number: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: minimal-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /testpath
+        pathType: Prefix
+        backend:
+          service:
+            name: test
+            port:
+              number: 80

best-practices-cel/disallow-empty-ingress-host/artifacthub-pkg.yml

@@ -0,0 +1,21 @@
+name: disallow-empty-ingress-host
+version: 1.0.0
+displayName: Disallow empty Ingress host
+createdAt: "2023-04-10T19:47:15.000Z"
+description: >-
+  An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml
+  ```
+keywords:
+  - kyverno
+  - Best Practices
+readme: |
+  An ingress resource needs to define an actual host name in order to be valid. This policy ensures that there is a hostname for each rule defined.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Best Practices"
+  kyverno/subject: "Ingress"
+digest: f9e70cf095e2d69a9586d7b8071975006e76aa715e5c978d37761c03ac6fc7fd

best-practices-cel/disallow-empty-ingress-host/disallow-empty-ingress-host.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: disallow-empty-ingress-host
+  annotations:
+    policies.kyverno.io/title: Disallow empty Ingress host
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Ingress
+    policies.kyverno.io/description: >-
+      An ingress resource needs to define an actual host name
+      in order to be valid. This policy ensures that there is a
+      hostname for each rule defined.
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+    - name: disallow-empty-ingress-host
+      match:
+        any:
+        - resources:
+            kinds:
+              - Ingress
+      validate:
+        message: "The Ingress host name must be defined, not empty."
+        deny:
+          conditions:
+            all:
+            - key: "{{ request.object.spec.rules[].host || `[]` | length(@) }}"
+              operator: NotEquals
+              value: "{{ request.object.spec.rules[].http || `[]` | length(@) }}"