I have been studying the docs for the project and I experimenting to learn how it works. I started out with what I thought was a simple requirement, I would like to configure cert-manager to deny all by default, then allow by explicit policy only. I am not sure exactly what the right way to do this is?
It would be very helpful to document common scenarios and how to configure them. Here is my take on common scenarios.
Deny all requests for certs on the cluster by default, unless explicitly allowed by specific policy.
Force the SAN of certificate request to follow a pattern of based on the pod / deployment / namespace. How do I enforce that there is 1 SAN and that the SAN includes the namespace and the deployment in the SAN. I don't want to use SPIFEE but I want to know that only the pod could have requested a cert with a specific name.
I have been studying the docs for the project and I experimenting to learn how it works. I started out with what I thought was a simple requirement, I would like to configure cert-manager to deny all by default, then allow by explicit policy only. I am not sure exactly what the right way to do this is?
It would be very helpful to document common scenarios and how to configure them. Here is my take on common scenarios.
Deny all requests for certs on the cluster by default, unless explicitly allowed by specific policy.
Force the SAN of certificate request to follow a pattern of based on the pod / deployment / namespace. How do I enforce that there is 1 SAN and that the SAN includes the namespace and the deployment in the SAN. I don't want to use SPIFEE but I want to know that only the pod could have requested a cert with a specific name.
I noticed the https://github.com/cert-manager/approver-policy/blob/main/docs/examples/default-deny-all.yaml but does not include any RBAC rules, and the docs claim that needs to be configured to get the ploicy to be evaluated.