CertificateRequestPolicy
policy.cert-manager.io / v1alpha1
apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object required
CertificateRequestPolicySpec defines the desired state of
CertificateRequestPolicy.
allowed object
Allowed defines the allowed attributes for a CertificateRequest.
A CertificateRequest can request _less_ than what is allowed,
but _not more_, i.e. a CertificateRequest can request a subset of what
is declared as allowed by the policy.
Omitted fields declare that the equivalent CertificateRequest
field _must_ be omitted or have an empty value for the request to be
permitted.
commonName object
CommonName defines the X.509 Common Name that may be requested.
required
boolean
Required marks that the related field must be provided and not be an
empty string.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute value present on request beyond what is possible
to express using value/required.
An attribute value on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
value
string
Value defines the allowed attribute value on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field must match the specified pattern.
NOTE:`value: ""` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
dnsNames object
DNSNames defines the X.509 DNS SANs that may be requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
emailAddresses object
EmailAddresses defines the X.509 Email SANs that may be requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
ipAddresses object
IPAddresses defines the X.509 IP SANs that may be requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
isCA
boolean
IsCA defines if a CertificateRequest is allowed to set the `spec.isCA`
field set to `true`.
If `true`, the `spec.isCA` field can be `true` or `false`.
If `false` or unset, the `spec.isCA` field must be `false`.
subject object
Subject declares the X.509 Subject attributes allowed in a
CertificateRequest. An omitted field forbids any Subject attributes
from being requested.
A CertificateRequest can request a subset of the allowed X.509 Subject
attributes.
countries object
Countries define the X.509 Subject Countries that may be requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
localities object
Localities defines the X.509 Subject Localities that may be requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
organizationalUnits object
OrganizationalUnits defines the X.509 Subject Organizational Units that
may be requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
organizations object
Organizations define the X.509 Subject Organizations that may be
requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
postalCodes object
PostalCodes defines the X.509 Subject Postal Codes that may be requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
provinces object
Provinces defines the X.509 Subject Provinces that may be requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
serialNumber object
SerialNumber defines the X.509 Subject Serial Number that may be
requested.
required
boolean
Required marks that the related field must be provided and not be an
empty string.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute value present on request beyond what is possible
to express using value/required.
An attribute value on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
value
string
Value defines the allowed attribute value on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field must match the specified pattern.
NOTE:`value: ""` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
streetAddresses object
StreetAddresses defines the X.509 Subject Street Addresses that may be
requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
uris object
URIs defines the X.509 URI SANs that may be requested.
required
boolean
Required controls whether the related field must have at least one value.
Defaults to `false`.
validations []object
Validations applies rules using Common Expression Language (CEL) to
validate attribute values present on request beyond what is possible
to express using values/required.
ALL attribute values on the related CertificateRequest field must pass
ALL validations for the request to be granted by this policy.
message
string
Message is the message to display when validation fails.
Message is required if the Rule contains line breaks. Note that Message
must not contain line breaks.
If unset, a fallback message is used: "failed rule: `<rule>`".
e.g. "must be a URL with the host matching spec.host"
rule
string required
Rule represents the expression which will be evaluated by CEL.
ref: https://github.com/google/cel-spec
The Rule is scoped to the location of the validations in the schema.
The `self` variable in the CEL expression is bound to the scoped value.
To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
```
values
[]string
Values defines allowed attribute values on the related CertificateRequest field.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
usages
[]string
Usages defines the key usages that may be included in a
CertificateRequest `spec.keyUsages` field.
If set, `spec.keyUsages` in a CertificateRequest must be a subset of the
specified values.
If `[]` or unset, no `spec.keyUsages` are allowed.
constraints object
Constraints define fields that _must_ be satisfied by a
CertificateRequest for the request to be allowed by this policy.
Omitted fields place no restrictions on the corresponding
attribute in a request.
maxDuration
string
MaxDuration defines the maximum duration for a certificate request.
Values are inclusive (i.e. a value of `1h` will accept a duration of
`1h`). MinDuration and MaxDuration may be the same value.
If set, a duration _must_ be requested in the CertificateRequest.
An omitted field applies no maximum constraint for duration.
minDuration
string
MinDuration defines the minimum duration for a certificate request.
Values are inclusive (i.e. a value of `1h` will accept a duration of
`1h`). MinDuration and MaxDuration may be the same value.
If set, a duration _must_ be requested in the CertificateRequest.
An omitted field applies no minimum constraint for duration.
privateKey object
PrivateKey defines constraints on the shape of private key
allowed for a CertificateRequest.
An omitted field applies no private key shape constraints.
algorithm
string
Algorithm defines the allowed crypto algorithm for the private key
in a request.
An omitted field permits any algorithm.
enum:
RSA, ECDSA, Ed25519
maxSize
integer
MaxSize defines the maximum key size for a private key.
Values are inclusive (i.e. a min value of `2048` will accept a size
of `2048`). MaxSize and MinSize may be the same value.
An omitted field applies no maximum constraint on size.
minSize
integer
MinSize defines the minimum key size for a private key.
Values are inclusive (i.e. a min value of `2048` will accept a size
of `2048`). MinSize and MaxSize may be the same value.
An omitted field applies no minimum constraint on size.
plugins
object
Plugins are approvers that are built into approver-policy at
compile-time. This is an advanced feature typically used to extend
approver-policy core features. This field define plugins and their
configuration that should be executed when this policy is evaluated
against a CertificateRequest.
selector object required
Selector is used for selecting over which CertificateRequests this
CertificateRequestPolicy is appropriate for and so will be used for its
approval evaluation.
issuerRef object
IssuerRef is used to match by issuer, meaning the
CertificateRequestPolicy will only evaluate CertificateRequests
referring to matching issuers.
CertificateRequests will not be processed if the issuer does not match,
regardless of whether the requestor is bound by RBAC.
The following value will match _all_ issuers:
```
issuerRef: {}
```
group
string
Group is the wildcard selector to match the `spec.issuerRef.group` field
on requests.
Accepts wildcards "*".
An omitted field matches all groups.
kind
string
Kind is the wildcard selector to match the `spec.issuerRef.kind` field
on requests.
Accepts wildcards "*".
An omitted field matches all kinds.
name
string
Name is a wildcard enabled selector that matches the
`spec.issuerRef.name` field of requests.
Accepts wildcards "*".
An omitted field matches all names.
namespace object
Namespace is used to match by namespace, meaning the
CertificateRequestPolicy will only match CertificateRequests
created in matching namespaces.
If this field is omitted, resources in all namespaces are checked.
matchLabels
object
MatchLabels is the set of Namespace labels that select on
CertificateRequests which have been created in a namespace matching the
selector.
matchNames
[]string
MatchNames is the set of namespace names that select on
CertificateRequests that have been created in a matching namespace.
Accepts wildcards "*".
status object
CertificateRequestPolicyStatus defines the observed state of the
CertificateRequestPolicy.
conditions []object
List of status conditions to indicate the status of the
CertificateRequestPolicy.
Known condition types are `Ready`.
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316No matches. Try .spec.allowed for an exact path