Limit number of SANs by policy

[paddy667]

Hi all,

I've seen some discussion on the subject here. I'm wondering if this is possible yet? I want to limit the number of SANs in a certificate to ~10, but I'm not sure how to access the DNSNames list.

Thanks in advance!

[erikgb]

This is a good use case for CEL, but the current CEL support in approver-policy is per value in request attributes. So I don't think this is possible to enforce with approver-policy at present.

[paddy667]

For now I have a work around using Gatekeeper. I've included the manifests below. What was interesting is that Gatekeeper uses rego for generating violations and I see in the documentation that the approver-policy can also use rego as a plugin. I assume I would have to rebuild approver-policy with rego though, but it would be nice if I could include my violation code in the CertificateRequestPolicy.

apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: limitdnsnames
spec:
  crd:
    spec:
      names:
        kind: LimitDNSNames
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package limitdnsnames

        violation[{"msg": msg}] {
          input.review.object.kind == "Certificate"
          dnsNames := input.review.object.spec.dnsNames
          SANcount := count(dnsNames)
          SANcount > 10
          msg := sprintf("certificate has %v dnsNames, which is more than 10", [SANcount])
        }

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: LimitDNSNames
metadata:
  name: limit-dns-names
spec:
  match:
    kinds:
      - apiGroups: ["cert-manager.io"]
        kinds: ["Certificate"]

[erikgb]

Using Gatekeeper (or Kyverno) policies to do this is a good workaround. I don't think I personally would support adding Rego-support to the core of approver-policy. I consider Rego inferior to CEL, and we already added CEL to the core. A plugin is always an alternative, but a bit awkward to use IMO. Mainly because the approver-policy image must be rebuilt.