---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: It can be useful to restrict Ingress resources
      to a set of known ingress classes that are allowed in the cluster. You can customize
      this policy to allow ingress classes that are configured in the cluster.
  name: restrict-ingress-classes
spec:
  admission: true
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Ingress
    name: validate-ingress
    validate:
      message: Unknown ingress class
      pattern:
        metadata:
          annotations:
            kubernetes.io/ingress.class: F5 | nginx
  validationFailureAction: Audit