Skip to search

CertificateRequestPolicy

policy.cert-manager.io / v1alpha1

apiVersion: policy.cert-manager.io/v1alpha1 kind: CertificateRequestPolicy metadata: name: example
View raw schema
apiVersion string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata object
spec object required
CertificateRequestPolicySpec defines the desired state of CertificateRequestPolicy.
allowed object
Allowed defines the allowed attributes for a CertificateRequest. A CertificateRequest can request _less_ than what is allowed, but _not more_, i.e. a CertificateRequest can request a subset of what is declared as allowed by the policy. Omitted fields declare that the equivalent CertificateRequest field _must_ be omitted or have an empty value for the request to be permitted.
commonName object
CommonName defines the X.509 Common Name that may be requested.
required boolean
Required marks that the related field must be provided and not be an empty string. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute value present on request beyond what is possible to express using value/required. An attribute value on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
value string
Value defines the allowed attribute value on the related CertificateRequest field. Accepts wildcards "*". If set, the related field must match the specified pattern. NOTE:`value: ""` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
dnsNames object
DNSNames defines the X.509 DNS SANs that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
emailAddresses object
EmailAddresses defines the X.509 Email SANs that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
ipAddresses object
IPAddresses defines the X.509 IP SANs that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
isCA boolean
IsCA defines if a CertificateRequest is allowed to set the `spec.isCA` field set to `true`. If `true`, the `spec.isCA` field can be `true` or `false`. If `false` or unset, the `spec.isCA` field must be `false`.
subject object
Subject declares the X.509 Subject attributes allowed in a CertificateRequest. An omitted field forbids any Subject attributes from being requested. A CertificateRequest can request a subset of the allowed X.509 Subject attributes.
countries object
Countries define the X.509 Subject Countries that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
localities object
Localities defines the X.509 Subject Localities that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
organizationalUnits object
OrganizationalUnits defines the X.509 Subject Organizational Units that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
organizations object
Organizations define the X.509 Subject Organizations that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
postalCodes object
PostalCodes defines the X.509 Subject Postal Codes that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
provinces object
Provinces defines the X.509 Subject Provinces that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
serialNumber object
SerialNumber defines the X.509 Subject Serial Number that may be requested.
required boolean
Required marks that the related field must be provided and not be an empty string. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute value present on request beyond what is possible to express using value/required. An attribute value on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
value string
Value defines the allowed attribute value on the related CertificateRequest field. Accepts wildcards "*". If set, the related field must match the specified pattern. NOTE:`value: ""` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
streetAddresses object
StreetAddresses defines the X.509 Subject Street Addresses that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
uris object
URIs defines the X.509 URI SANs that may be requested.
required boolean
Required controls whether the related field must have at least one value. Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.
message string
Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: `<rule>`". e.g. "must be a URL with the host matching spec.host"
rule string required
Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The `self` variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') ```
values []string
Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
usages []string
Usages defines the key usages that may be included in a CertificateRequest `spec.keyUsages` field. If set, `spec.keyUsages` in a CertificateRequest must be a subset of the specified values. If `[]` or unset, no `spec.keyUsages` are allowed.
constraints object
Constraints define fields that _must_ be satisfied by a CertificateRequest for the request to be allowed by this policy. Omitted fields place no restrictions on the corresponding attribute in a request.
maxDuration string
MaxDuration defines the maximum duration for a certificate request. Values are inclusive (i.e. a value of `1h` will accept a duration of `1h`). MinDuration and MaxDuration may be the same value. If set, a duration _must_ be requested in the CertificateRequest. An omitted field applies no maximum constraint for duration.
minDuration string
MinDuration defines the minimum duration for a certificate request. Values are inclusive (i.e. a value of `1h` will accept a duration of `1h`). MinDuration and MaxDuration may be the same value. If set, a duration _must_ be requested in the CertificateRequest. An omitted field applies no minimum constraint for duration.
privateKey object
PrivateKey defines constraints on the shape of private key allowed for a CertificateRequest. An omitted field applies no private key shape constraints.
algorithm string
Algorithm defines the allowed crypto algorithm for the private key in a request. An omitted field permits any algorithm.
enum: RSA, ECDSA, Ed25519
maxSize integer
MaxSize defines the maximum key size for a private key. Values are inclusive (i.e. a min value of `2048` will accept a size of `2048`). MaxSize and MinSize may be the same value. An omitted field applies no maximum constraint on size.
minSize integer
MinSize defines the minimum key size for a private key. Values are inclusive (i.e. a min value of `2048` will accept a size of `2048`). MinSize and MaxSize may be the same value. An omitted field applies no minimum constraint on size.
plugins object
Plugins are approvers that are built into approver-policy at compile-time. This is an advanced feature typically used to extend approver-policy core features. This field define plugins and their configuration that should be executed when this policy is evaluated against a CertificateRequest.
selector object required
Selector is used for selecting over which CertificateRequests this CertificateRequestPolicy is appropriate for and so will be used for its approval evaluation.
issuerRef object
IssuerRef is used to match by issuer, meaning the CertificateRequestPolicy will only evaluate CertificateRequests referring to matching issuers. CertificateRequests will not be processed if the issuer does not match, regardless of whether the requestor is bound by RBAC. The following value will match _all_ issuers: ``` issuerRef: {} ```
group string
Group is the wildcard selector to match the `spec.issuerRef.group` field on requests. Accepts wildcards "*". An omitted field matches all groups.
kind string
Kind is the wildcard selector to match the `spec.issuerRef.kind` field on requests. Accepts wildcards "*". An omitted field matches all kinds.
name string
Name is a wildcard enabled selector that matches the `spec.issuerRef.name` field of requests. Accepts wildcards "*". An omitted field matches all names.
namespace object
Namespace is used to match by namespace, meaning the CertificateRequestPolicy will only match CertificateRequests created in matching namespaces. If this field is omitted, resources in all namespaces are checked.
matchLabels object
MatchLabels is the set of Namespace labels that select on CertificateRequests which have been created in a namespace matching the selector.
matchNames []string
MatchNames is the set of namespace names that select on CertificateRequests that have been created in a matching namespace. Accepts wildcards "*".
status object
CertificateRequestPolicyStatus defines the observed state of the CertificateRequestPolicy.
conditions []object
List of status conditions to indicate the status of the CertificateRequestPolicy. Known condition types are `Ready`.
lastTransitionTime string required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
message string required
message is a human readable message indicating details about the transition. This may be an empty string.
maxLength: 32768
observedGeneration integer
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
format: int64
minimum: 0
reason string required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
minLength: 1
maxLength: 1024
status string required
status of the condition, one of True, False, Unknown.
enum: True, False, Unknown
type string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
maxLength: 316

No matches. Try .spec.allowed for an exact path