Restrict issuer

Certificates for trusted domains should always be steered to a controlled issuer to ensure the chain of trust is appropriate for that application. Users may otherwise be able to create their own issuers and sign certificates for other domains. This policy ensures that a certificate request for a specific domain uses a designated ClusterIssuer.

Policy Definition

/cert-manager/restrict-issuer/restrict-issuer.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: cert-manager-restrict-issuer
 5  annotations:
 6    policies.kyverno.io/title: Restrict issuer
 7    policies.kyverno.io/category: Cert-Manager
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Certificate
10    policies.kyverno.io/description: >-
11      Certificates for trusted domains should always be steered to a controlled issuer to
12      ensure the chain of trust is appropriate for that application. Users may otherwise be
13      able to create their own issuers and sign certificates for other domains. This policy
14      ensures that a certificate request for a specific domain uses a designated ClusterIssuer.
15spec:
16  validationFailureAction: Audit
17  background: true
18  rules:
19  - name: restrict-corp-cert-issuer
20    match:
21      any:
22      - resources:
23          kinds:
24          - Certificate
25    validate:
26      message: When requesting a cert for this domain, you must use our corporate issuer.
27      pattern:
28        spec:
29          (dnsNames): ["*.corp.com"]
30          issuerRef:
31            name: our-corp-issuer
32            kind: ClusterIssuer
33            group: cert-manager.io

Create policy issue