🤖 Generated by the Daily AI Assistant
Problem. cert-manager-tenant-edit (PR #2453) scopes tenants to namespaced Issuers, but RBAC cannot stop a tenant Certificate from referencing a cluster-scoped ClusterIssuer via spec.issuerRef.kind: ClusterIssuer — the reference is resolved by cert-manager's controller, not the tenant's identity. The stated boundary ("ClusterIssuer remains platform territory") is currently convention, not enforcement. Raised by review on #2453.
Proposed direction. Runtime-enforce per the fix-vs-except ladder: a Kyverno validating ClusterPolicy on Certificate (and CertificateRequest) objects in tenant namespaces rejecting spec.issuerRef.kind != Issuer — Kyverno is already the platform's admission layer, so prefer it over adding cert-manager approver-policy as a new controller. Start in Audit, graduate to Enforce.
Rough size. Small-medium: one ClusterPolicy + tenant-namespace selector convention + validation.
Problem.
cert-manager-tenant-edit(PR #2453) scopes tenants to namespaced Issuers, but RBAC cannot stop a tenant Certificate from referencing a cluster-scoped ClusterIssuer viaspec.issuerRef.kind: ClusterIssuer— the reference is resolved by cert-manager's controller, not the tenant's identity. The stated boundary ("ClusterIssuer remains platform territory") is currently convention, not enforcement. Raised by review on #2453.Proposed direction. Runtime-enforce per the fix-vs-except ladder: a Kyverno validating ClusterPolicy on Certificate (and CertificateRequest) objects in tenant namespaces rejecting
spec.issuerRef.kind != Issuer— Kyverno is already the platform's admission layer, so prefer it over adding cert-manager approver-policy as a new controller. Start in Audit, graduate to Enforce.Rough size. Small-medium: one ClusterPolicy + tenant-namespace selector convention + validation.