NEW: Get project updates onTwitterandMastodon

approver-policy API Reference

Packages:

policy.cert-manager.io/v1alpha1

Resource Types:

CertificateRequestPolicy

CertificateRequestPolicy is an object for describing a "policy profile" that makes decisions on whether applicable CertificateRequests should be approved or denied.

NameTypeDescriptionRequired
apiVersionstringpolicy.cert-manager.io/v1alpha1true
kindstringCertificateRequestPolicytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the metadata field.true
specobject

CertificateRequestPolicySpec defines the desired state of CertificateRequestPolicy.


false
statusobject

CertificateRequestPolicyStatus defines the observed state of the CertificateRequestPolicy.


false

CertificateRequestPolicy.spec

CertificateRequestPolicySpec defines the desired state of CertificateRequestPolicy.

NameTypeDescriptionRequired
selectorobject

Selector is used for selecting over which CertificateRequests this CertificateRequestPolicy is appropriate for and so will be used for its approval evaluation.


true
allowedobject

Allowed defines the allowed attributes for a CertificateRequest. A CertificateRequest can request less than what is allowed, but not more, i.e. a CertificateRequest can request a subset of what is declared as allowed by the policy. Omitted fields declare that the equivalent CertificateRequest field must be omitted or have an empty value for the request to be permitted.


false
constraintsobject

Constraints define fields that must be satisfied by a CertificateRequest for the request to be allowed by this policy. Omitted fields place no restrictions on the corresponding attribute in a request.


false
pluginsmap[string]object

Plugins are approvers that are built into approver-policy at compile-time. This is an advanced feature typically used to extend approver-policy core features. This field define plugins and their configuration that should be executed when this policy is evaluated against a CertificateRequest.


false

CertificateRequestPolicy.spec.selector

Selector is used for selecting over which CertificateRequests this CertificateRequestPolicy is appropriate for and so will be used for its approval evaluation.

NameTypeDescriptionRequired
issuerRefobject

IssuerRef is used to match by issuer, meaning the CertificateRequestPolicy will only evaluate CertificateRequests referring to matching issuers. CertificateRequests will not be processed if the issuer does not match, regardless of whether the requestor is bound by RBAC.

The following value will match all issuers:

issuerRef: {}

false
namespaceobject

Namespace is used to match by namespace, meaning the CertificateRequestPolicy will only match CertificateRequests created in matching namespaces. If this field is omitted, resources in all namespaces are checked.


false

CertificateRequestPolicy.spec.selector.issuerRef

IssuerRef is used to match by issuer, meaning the CertificateRequestPolicy will only evaluate CertificateRequests referring to matching issuers. CertificateRequests will not be processed if the issuer does not match, regardless of whether the requestor is bound by RBAC.

The following value will match all issuers:

issuerRef: {}
NameTypeDescriptionRequired
groupstring

Group is the wildcard selector to match the spec.issuerRef.group field on requests. Accepts wildcards "*". An omitted field matches all groups.


false
kindstring

Kind is the wildcard selector to match the spec.issuerRef.kind field on requests. Accepts wildcards "*". An omitted field matches all kinds.


false
namestring

Name is a wildcard enabled selector that matches the spec.issuerRef.name field of requests. Accepts wildcards "*". An omitted field matches all names.


false

CertificateRequestPolicy.spec.selector.namespace

Namespace is used to match by namespace, meaning the CertificateRequestPolicy will only match CertificateRequests created in matching namespaces. If this field is omitted, resources in all namespaces are checked.

NameTypeDescriptionRequired
matchLabelsmap[string]string

MatchLabels is the set of Namespace labels that select on CertificateRequests which have been created in a namespace matching the selector.


false
matchNames[]string

MatchNames is the set of namespace names that select on CertificateRequests that have been created in a matching namespace. Accepts wildcards "*". TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed

Allowed defines the allowed attributes for a CertificateRequest. A CertificateRequest can request less than what is allowed, but not more, i.e. a CertificateRequest can request a subset of what is declared as allowed by the policy. Omitted fields declare that the equivalent CertificateRequest field must be omitted or have an empty value for the request to be permitted.

NameTypeDescriptionRequired
commonNameobject

CommonName defines the X.509 Common Name that may be requested.


false
dnsNamesobject

DNSNames defines the X.509 DNS SANs that may be requested.


false
emailAddressesobject

EmailAddresses defines the X.509 Email SANs that may be requested.


false
ipAddressesobject

IPAddresses defines the X.509 IP SANs that may be requested.


false
isCAboolean

IsCA defines if a CertificateRequest is allowed to set the spec.isCA field set to true. If true, the spec.isCA field can be true or false. If false or unset, the spec.isCA field must be false.


false
subjectobject

Subject declares the X.509 Subject attributes allowed in a CertificateRequest. An omitted field forbids any Subject attributes from being requested. A CertificateRequest can request a subset of the allowed X.509 Subject attributes.


false
urisobject

URIs defines the X.509 URI SANs that may be requested.


false
usages[]enum

Usages defines the key usages that may be included in a CertificateRequest spec.keyUsages field. If set, spec.keyUsages in a CertificateRequest must be a subset of the specified values. If [] or unset, no spec.keyUsages are allowed. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.commonName

CommonName defines the X.509 Common Name that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required marks that the related field must be provided and not be an empty string. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute value present on request beyond what is possible to express using value/required. An attribute value on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
valuestring

Value defines the allowed attribute value on the related CertificateRequest field. Accepts wildcards "*". If set, the related field must match the specified pattern.

NOTE:value: "" paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may.


false

CertificateRequestPolicy.spec.allowed.commonName.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.dnsNames

DNSNames defines the X.509 DNS SANs that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.dnsNames.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.emailAddresses

EmailAddresses defines the X.509 Email SANs that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.emailAddresses.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.ipAddresses

IPAddresses defines the X.509 IP SANs that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.ipAddresses.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.subject

Subject declares the X.509 Subject attributes allowed in a CertificateRequest. An omitted field forbids any Subject attributes from being requested. A CertificateRequest can request a subset of the allowed X.509 Subject attributes.

NameTypeDescriptionRequired
countriesobject

Countries define the X.509 Subject Countries that may be requested.


false
localitiesobject

Localities defines the X.509 Subject Localities that may be requested.


false
organizationalUnitsobject

OrganizationalUnits defines the X.509 Subject Organizational Units that may be requested.


false
organizationsobject

Organizations define the X.509 Subject Organizations that may be requested.


false
postalCodesobject

PostalCodes defines the X.509 Subject Postal Codes that may be requested.


false
provincesobject

Provinces defines the X.509 Subject Provinces that may be requested.


false
serialNumberobject

SerialNumber defines the X.509 Subject Serial Number that may be requested.


false
streetAddressesobject

StreetAddresses defines the X.509 Subject Street Addresses that may be requested.


false

CertificateRequestPolicy.spec.allowed.subject.countries

Countries define the X.509 Subject Countries that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.subject.countries.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.subject.localities

Localities defines the X.509 Subject Localities that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.subject.localities.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.subject.organizationalUnits

OrganizationalUnits defines the X.509 Subject Organizational Units that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.subject.organizationalUnits.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.subject.organizations

Organizations define the X.509 Subject Organizations that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.subject.organizations.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.subject.postalCodes

PostalCodes defines the X.509 Subject Postal Codes that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.subject.postalCodes.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.subject.provinces

Provinces defines the X.509 Subject Provinces that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.subject.provinces.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.subject.serialNumber

SerialNumber defines the X.509 Subject Serial Number that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required marks that the related field must be provided and not be an empty string. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute value present on request beyond what is possible to express using value/required. An attribute value on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
valuestring

Value defines the allowed attribute value on the related CertificateRequest field. Accepts wildcards "*". If set, the related field must match the specified pattern.

NOTE:value: "" paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may.


false

CertificateRequestPolicy.spec.allowed.subject.serialNumber.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.subject.streetAddresses

StreetAddresses defines the X.509 Subject Street Addresses that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.subject.streetAddresses.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.allowed.uris

URIs defines the X.509 URI SANs that may be requested.

NameTypeDescriptionRequired
requiredboolean

Required controls whether the related field must have at least one value. Defaults to false.


false
validations[]object

Validations applies rules using Common Expression Language (CEL) to validate attribute values present on request beyond what is possible to express using values/required. ALL attribute values on the related CertificateRequest field must pass ALL validations for the request to be granted by this policy.


false
values[]string

Values defines allowed attribute values on the related CertificateRequest field. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values.

NOTE:values: [] paired with required: true establishes a policy that will never grant a CertificateRequest, but other policies may. TODO: add x-kubernetes-list-type: set in v1alpha2


false

CertificateRequestPolicy.spec.allowed.uris.validations[index]

ValidationRule describes a validation rule expressed in CEL.

NameTypeDescriptionRequired
rulestring

Rule represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec The Rule is scoped to the location of the validations in the schema. The self variable in the CEL expression is bound to the scoped value. To enable more advanced validation rules, approver-policy provides the cr (map) variable to the CEL expression containing namespace and name of the CertificateRequest resource.

Example (rule for namespaced DNSNames):

rule: self.endsWith(cr.namespace + '.svc.cluster.local')

true
messagestring

Message is the message to display when validation fails. Message is required if the Rule contains line breaks. Note that Message must not contain line breaks. If unset, a fallback message is used: "failed rule: <rule>". e.g. "must be a URL with the host matching spec.host"


false

CertificateRequestPolicy.spec.constraints

Constraints define fields that must be satisfied by a CertificateRequest for the request to be allowed by this policy. Omitted fields place no restrictions on the corresponding attribute in a request.

NameTypeDescriptionRequired
maxDurationstring

MaxDuration defines the maximum duration for a certificate request. for. Values are inclusive (i.e. a value of 1h will accept a duration of 1h). MinDuration and MaxDuration may be the same value. If set, a duration must be requested in the CertificateRequest. An omitted field applies no maximum constraint for duration.


false
minDurationstring

MinDuration defines the minimum duration for a certificate request. Values are inclusive (i.e. a value of 1h will accept a duration of 1h). MinDuration and MaxDuration may be the same value. If set, a duration must be requested in the CertificateRequest. An omitted field applies no minimum constraint for duration.


false
privateKeyobject

PrivateKey defines constraints on the shape of private key allowed for a CertificateRequest. An omitted field applies no private key shape constraints.


false

CertificateRequestPolicy.spec.constraints.privateKey

PrivateKey defines constraints on the shape of private key allowed for a CertificateRequest. An omitted field applies no private key shape constraints.

NameTypeDescriptionRequired
algorithmenum

Algorithm defines the allowed crypto algorithm for the private key in a request. An omitted field permits any algorithm.



Enum: RSA, ECDSA, Ed25519

false
maxSizeinteger

MaxSize defines the maximum key size for a private key. Values are inclusive (i.e. a min value of 2048 will accept a size of 2048). MaxSize and MinSize may be the same value. An omitted field applies no maximum constraint on size.


false
minSizeinteger

MinSize defines the minimum key size for a private key. Values are inclusive (i.e. a min value of 2048 will accept a size of 2048). MinSize and MaxSize may be the same value. An omitted field applies no minimum constraint on size.


false

CertificateRequestPolicy.spec.plugins[key]

CertificateRequestPolicyPluginData is configuration needed by the plugin approver to evaluate a CertificateRequest on this policy.

NameTypeDescriptionRequired
valuesmap[string]string

Values define a set of well-known, to the plugin, key value pairs that are required for the plugin to successfully evaluate a request based on this policy.


false

CertificateRequestPolicy.status

CertificateRequestPolicyStatus defines the observed state of the CertificateRequestPolicy.

NameTypeDescriptionRequired
conditions[]object

List of status conditions to indicate the status of the CertificateRequestPolicy. Known condition types are Ready.


false

CertificateRequestPolicy.status.conditions[index]

CertificateRequestPolicyCondition contains condition information for a CertificateRequestPolicyStatus.

NameTypeDescriptionRequired
statusstring

Status of the condition, one of ('True', 'False', 'Unknown').


true
typestring

Type of the condition, known values are (Ready).


true
lastTransitionTimestring

LastTransitionTime is the timestamp corresponding to the last status change of this condition.



Format: date-time

false
messagestring

Message is a human readable description of the details of the last transition, complementing reason.


false
observedGenerationinteger

If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the CertificateRequestPolicy.



Format: int64

false
reasonstring

Reason is a brief machine readable explanation for the condition's last transition.


false