Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document How to Configure Common Scenarios #466

Open
asaikali opened this issue Jul 12, 2024 · 0 comments
Open

Document How to Configure Common Scenarios #466

asaikali opened this issue Jul 12, 2024 · 0 comments

Comments

@asaikali
Copy link

asaikali commented Jul 12, 2024

I have been studying the docs for the project and I experimenting to learn how it works. I started out with what I thought was a simple requirement, I would like to configure cert-manager to deny all by default, then allow by explicit policy only. I am not sure exactly what the right way to do this is?

It would be very helpful to document common scenarios and how to configure them. Here is my take on common scenarios.

  1. Deny all requests for certs on the cluster by default, unless explicitly allowed by specific policy.

  2. Force the SAN of certificate request to follow a pattern of based on the pod / deployment / namespace. How do I enforce that there is 1 SAN and that the SAN includes the namespace and the deployment in the SAN. I don't want to use SPIFEE but I want to know that only the pod could have requested a cert with a specific name.

I noticed the https://github.com/cert-manager/approver-policy/blob/main/docs/examples/default-deny-all.yaml but does not include any RBAC rules, and the docs claim that needs to be configured to get the ploicy to be evaluated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant