Restrict Ingress defaultBackend in ValidatingPolicy

 1apiVersion: policies.kyverno.io/v1alpha1
 2kind: ValidatingPolicy
 3metadata:
 4  name: restrict-ingress-defaultbackend
 5  annotations:
 6    policies.kyverno.io/title: Restrict Ingress defaultBackend in ValidatingPolicy
 7    policies.kyverno.io/category: Best Practices in vpol 
 8    policies.kyverno.io/severity: high
 9    kyverno.io/kyverno-version: 1.14.0
10    policies.kyverno.io/minversion: 1.14.0
11    kyverno.io/kubernetes-version: "1.30"
12    policies.kyverno.io/subject: Ingress
13    policies.kyverno.io/description: >-
14      An Ingress with no rules sends all traffic to a single default backend. The defaultBackend
15      is conventionally a configuration option of the Ingress controller and is not specified in
16      your Ingress resources. If none of the hosts or paths match the HTTP request in the Ingress
17      objects, the traffic is routed to your default backend. In a multi-tenant environment, you
18      want users to use explicit hosts, they should not be able to overwrite the global default backend
19      service. This policy prohibits the use of the defaultBackend field.
20spec:
21  validationActions: 
22    - Audit
23  evaluation:
24    background:
25      enabled: true
26  matchConstraints:
27    resourceRules:
28      - apiGroups: ["networking.k8s.io"]
29        apiVersions: ["v1"]
30        operations: ["CREATE", "UPDATE"]
31        resources: ["ingresses"]
32  validations:
33    - expression: "!has(object.spec.defaultBackend)"
34      message: Setting the defaultBackend field is prohibited.