Back to Policies

Disallow Localhost ExternalName Services in CEL expressions

A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName if the externalName field refers to localhost.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: no-localhost-service
  annotations:
    policies.kyverno.io/title: Disallow Localhost ExternalName Services in CEL expressions
    policies.kyverno.io/category: Sample in CEL
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Service
    policies.kyverno.io/minversion: 1.11.0
    kyverno.io/kubernetes-version: 1.26-1.27
    policies.kyverno.io/description: A Service of type ExternalName which points back to localhost can potentially be used to exploit vulnerabilities in some Ingress controllers. This policy audits Services of type ExternalName if the externalName field refers to localhost.
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: no-localhost-service
      match:
        any:
          - resources:
              kinds:
                - Service
              operations:
                - CREATE
                - UPDATE
      validate:
        cel:
          expressions:
            - expression: object.spec.type != 'ExternalName' || object.spec.externalName != 'localhost'
              message: Service of type ExternalName cannot point to localhost.

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application