The ability to specify a custom host name is governed by the "custom-host" permission, which is granted by default to all project administrators[1]. *It is possible for the cluster administrator to revoke this permission*. Then, the OpenShift API admission checks *should* prohibit project administrators from setting a custom host name on ingress and route objects. The problem is that *the admission checks do not enforce this prohibition* for ingress objects under some circumstances.