Only use approved domain names in the Ingress hostnames
garethahealy opened this issue · 3 comments
garethahealy commented
Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO
garethahealy commented
I'd expect the policy to be similar to:
jtudelag commented
sth like this?
package kubernetes.admission
deny[msg] {
input.request.kind.kind == “Route”
hostname := input.request.object.spec.hostname
not startswith(hostname, “example.com”)
msg := sprintf(“hostname not valid BLA BLA BLA %v”, [hostname])
}
garethahealy commented
@jtudelag ; yes, the core bits look correct, i.e.: not startswith
.
But, have a look at the example, as the policies wouldn't explicitly use kubernetes.admission
- there might be a use-case for that, but not seen one yet.
So your policy updated with the helpers, it would be:
violation[msg] {
openshift.is_route
obj := konstraint.object
not startswith(obj.spec.hostname, “example.com”)
msg := konstraint.format(sprintf("%s/%s: hostname is not valid", [obj.kind, obj.metadata.name, obj.spec.hostname]))
}