"Kubernetes clusters should be accessible only over HTTPS" triggers false positive for Nginx mergable ingress resource.

[Binghankina]

Details of the scenario you tried and the problem that is occurring

False positive on policy "Kubernetes clusters should be accessible only over HTTPS" for Nginx mergable ingress resources. The mergeable ingress resource has master type with spec.tls configuration and minion type without spec.tls.
Detailed spec for mergeable ingress types. https://github.com/nginx/kubernetes-ingress/tree/v3.3.2/examples/ingress-resources/mergeable-ingress-types

apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    annotations:
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      nginx.org/mergeable-ingress-type: master
    name: ingress-master
    namespace: application
  spec:
    ingressClassName: nginx
    rules:
    - host: www.example.com
    tls:
    - hosts:
      - www.example.com
      secretName: exampleTls

- apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    annotations:
      nginx.org/mergeable-ingress-type: minion
    name: ingress-A
    namespace: application
  spec:
    ingressClassName: nginx
    rules:
    - host: www.example.com
      http:
        paths:
        - backend:
            service:
              name: serviceA
              port:
                number: 8083
          path: /serviceA
          pathType: Prefix

Verbose logs showing the problem

error: ingresses.networking.k8s.io "handbook" could not be patched: admission webhook "validation.gatekeeper.sh" denied the request: [azurepolicy-k8sazurev1ingresshttpsonly-51db6f58fe78f0936166] Ingress should allow https only. tls configuration and annotation nginx.ingress.kubernetes.io/force-ssl-redirect=true are required for handbook

Suggested solution to the issue

The policy code should check whether it contains the nginx.org/mergeable-ingress-type annotation. If it is a minion, the the policy should not block the resource deployment.