Only use approved domain names in the Ingress hostnames

[garethahealy]

Parent: #23
Suggestion: https://learnk8s.io/production-best-practices#application-development
Solved By: TODO

[garethahealy]

I'd expect the policy to be similar to:

• https://github.com/redhat-cop/rego-policies/blob/1.0.0/policy/ocp/bestpractices/container-image-latest/src.rego

[jtudelag]

sth like this?

package kubernetes.admission

deny[msg] {
  input.request.kind.kind == “Route”
  hostname := input.request.object.spec.hostname
  not startswith(hostname, “example.com”)
  msg := sprintf(“hostname not valid BLA BLA BLA %v”, [hostname]) 
}

[garethahealy]

@jtudelag ; yes, the core bits look correct, i.e.: not startswith.

But, have a look at the example, as the policies wouldn't explicitly use kubernetes.admission - there might be a use-case for that, but not seen one yet.

• https://github.com/redhat-cop/rego-policies/blob/1.0.0/policy/ocp/bestpractices/container-image-latest/src.rego

So your policy updated with the helpers, it would be:

violation[msg] {
  openshift.is_route

  obj := konstraint.object
  not startswith(obj.spec.hostname, “example.com”)

  msg := konstraint.format(sprintf("%s/%s: hostname is not valid", [obj.kind, obj.metadata.name, obj.spec.hostname]))
}