https://github.com/kubewarden/ingress-policy

Policy to enforce requirements on Kubernetes Ingress resources.
https://github.com/kubewarden/ingress-policy

hacktoberfest ingress ingresses-resources kubernetes kubernetes-security kubewarden-policy policy-as-code webassembly

Last synced: 6 months ago
JSON representation

Policy to enforce requirements on Kubernetes Ingress resources.

• Host: GitHub
• URL: https://github.com/kubewarden/ingress-policy
• Owner: kubewarden
• License: apache-2.0
• Created: 2021-03-18T11:33:17.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2024-12-09T10:41:11.000Z (6 months ago)
• Last Synced: 2024-12-09T11:37:15.751Z (6 months ago)
• Topics: hacktoberfest, ingress, ingresses-resources, kubernetes, kubernetes-security, kubewarden-policy, policy-as-code, webassembly
• Language: Go
• Homepage: https://kubewarden.io
• Size: 1.18 MB
• Stars: 4
• Watchers: 7
• Forks: 3
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Codeowners: CODEOWNERS

Awesome Lists containing this project

README

        
[![Kubewarden Policy Repository](https://github.com/kubewarden/community/blob/main/badges/kubewarden-policies.svg)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope)

[![Stable](https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge)](https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable)

Kubewarden policy that allows to restrict ingress resources.

# What the policy allows to restrict

The policy configuration allows to set several properties:

* `requireTLS`: `boolean`

  * Whether the `spec` for ingresses resources has to include a `tls`

    attribute that include all hosts defined in the `.spec.rules`

    attribute of the ingress resource. If any of the hosts defined in

    `.spec.rules` is not listed inside `spec.tls` the policy will

    reject the ingress resource.

* `allowPorts`: `[]`

  * List of allowed ports inside

    `.spec.rules.paths.backend.service.port`. If this array contains

    at least one port, any other port will be rejected.

* `denyPorts`: `[]`

  * List of denied ports inside

    `.spec.rules.paths.backend.service.port`. If any port matches a

    port on this array, the ingress resource will be rejected,

    otherwise it will be accepted.

If `allowPorts` and `denyPorts` are provided together (and are not

empty), `denyPorts` is prioritized.

## Examples

* Require TLS for all hosts provided in ingress:

```json

{

  "requireTLS": true

}

```

* Require TLS for all hosts provided in ingress, and disallow port 80:

```json

{

  "requireTLS": true,

  "denyPorts": [80]

}

```

* Require TLS for all hosts provided in ingress, and only allow port

  443:

```json

{

  "requireTLS": true,

  "allowPorts": [443]

}

```