Back to Policies

Certificate max duration 100 days

Kubernetes managed non-letsencrypt certificates have to be renewed in every 100 days.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: cert-manager-limit-duration
  annotations:
    policies.kyverno.io/title: Certificate max duration 100 days
    policies.kyverno.io/category: Cert-Manager
    policies.kyverno.io/severity: medium
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/subject: Certificate
    policies.kyverno.io/description: Kubernetes managed non-letsencrypt certificates have to be renewed in every 100 days.
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: certificate-duration-max-100days
      match:
        any:
          - resources:
              kinds:
                - Certificate
      preconditions:
        all:
          - key: "{{ contains(request.object.spec.issuerRef.name, 'letsencrypt') }}"
            operator: Equals
            value: false
          - key: "{{ request.object.spec.duration }}"
            operator: NotEquals
            value: ""
      validate:
        message: certificate duration must be < than 2400h (100 days)
        deny:
          conditions:
            all:
              - key: "{{ max( [ to_number(regex_replace_all('h.*',request.object.spec.duration,'')), to_number('2400') ] ) }}"
                operator: NotEquals
                value: 2400

Related Policies

ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project in CEL expressions

This policy prevents updates to the project field after an Application is created.

Application
ValidateMedium

Ensure ApplicationSet Name Matches Project in CEL expressions

This policy ensures that the name of the ApplicationSet is the same value provided in the project.

ApplicationSet