Skip to content

Enforce the tenant ClusterIssuer boundary with an admission policy #2470

Description

@devantler

🤖 Generated by the Daily AI Assistant

Problem. cert-manager-tenant-edit (PR #2453) scopes tenants to namespaced Issuers, but RBAC cannot stop a tenant Certificate from referencing a cluster-scoped ClusterIssuer via spec.issuerRef.kind: ClusterIssuer — the reference is resolved by cert-manager's controller, not the tenant's identity. The stated boundary ("ClusterIssuer remains platform territory") is currently convention, not enforcement. Raised by review on #2453.

Proposed direction. Runtime-enforce per the fix-vs-except ladder: a Kyverno validating ClusterPolicy on Certificate (and CertificateRequest) objects in tenant namespaces rejecting spec.issuerRef.kind != Issuer — Kyverno is already the platform's admission layer, so prefer it over adding cert-manager approver-policy as a new controller. Start in Audit, graduate to Enforce.

Rough size. Small-medium: one ClusterPolicy + tenant-namespace selector convention + validation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions