Inspect CertificateSigningRequest

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: inspect-csr
 5  annotations:
 6    policies.kyverno.io/title: Inspect CertificateSigningRequest
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/subject: CertificateSigningRequest
 9    policies.kyverno.io/minversion: 1.10.0
10    kyverno.io/kubernetes-version: "1.26"
11    policies.kyverno.io/description: >-
12      The Kubernetes API includes a CertificateSigningRequest resource which can be used to
13      generate a certificate for an entity. Because this API can be abused to create a long-lived
14      credential, it is important to be able to audit this API to understand who/what is creating
15      these CSRs and for what actors they are being created. This policy, intended to always be run
16      in Audit mode and produce failure results in a Policy Report, inspects all incoming CertificateSigningRequests
17      and writes out into the Policy Report information on who/what requested it and parsing the CSR
18      to show the Subject information of that CSR resource.
19spec:
20  background: false
21  validationFailureAction: Audit
22  rules:
23  - name: csr
24    match:
25      any:
26      - resources:
27          kinds:
28          - CertificateSigningRequest
29    validate:
30      message: >-
31        A CSR was created by {{ request.userInfo | to_string(@) }}
32        holding ClusterRoles {{ request.clusterRoles | to_string(@) }}
33        and Roles {{ request.roles | to_string(@) }}.
34        The subjects and groups requested in the CSR were "{{ x509_decode(base64_decode('{{ request.object.spec.request }}')).Subject | to_string(@) }}"
35      deny: {}