32 lines
1.1 KiB
YAML
32 lines
1.1 KiB
YAML
apiVersion: templates.gatekeeper.sh/v1beta1
|
|
kind: ConstraintTemplate
|
|
metadata:
|
|
name: k8suniqueingresshost
|
|
annotations:
|
|
description: Requires all Ingress hosts to be unique.
|
|
spec:
|
|
crd:
|
|
spec:
|
|
names:
|
|
kind: K8sUniqueIngressHost
|
|
targets:
|
|
- target: admission.k8s.gatekeeper.sh
|
|
rego: |
|
|
package k8suniqueingresshost
|
|
|
|
identical(obj, review) {
|
|
obj.metadata.namespace == review.object.metadata.namespace
|
|
obj.metadata.name == review.object.metadata.name
|
|
}
|
|
|
|
violation[{"msg": msg}] {
|
|
input.review.kind.kind == "Ingress"
|
|
regex.match("^(extensions|networking.k8s.io)$", input.review.kind.group)
|
|
host := input.review.object.spec.rules[_].host
|
|
other := data.inventory.namespace[_][otherapiversion]["Ingress"][name]
|
|
regex.match("^(extensions|networking.k8s.io)/.+$", otherapiversion)
|
|
other.spec.rules[_].host == host
|
|
not identical(other, input.review)
|
|
msg := sprintf("ingress host conflicts with an existing ingress <%v>", [host])
|
|
}
|