TLS Protect for Kubernetes
Log inCreate account

Common scenarios

Common scenarios for approver-policy



This page describes common use cases and integrations that might be interesting for you to bolster your certificate security.

Deny all by Default

Like firewall rules, it is often the case that you want to block/deny all requests unless they appear on the allow list. In approver-policy, we can achieve this by creating a policy that is impossible to satisfy and binding that policy to all identities in the cluster.

Remember that a request will only be denied if it meets none of the policy profile requirements it is bound to, meaning if another policy allows the request then it will be approved. By creating a deny all policy, no request will be kept in a state where is has neither an approved or denied condition.

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-policy:deny-all
rules:
  - apiGroups: ["policy.cert-manager.io"]
    resources: ["certificaterequestpolicies"]
    verbs: ["use"]
    resourceNames: ["deny-all"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-policy:deny-all
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-policy:deny-all
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
  name: deny-all
spec:
  constraints:
    privateKey:
      # This is an impossible constraint!
      algorithm: RSA
      maxSize: 0
  selector:
    # Select on all issuers.
    issuerRef: {}
EOF
Copy to clipboard

Combining Policy with the CSI Driver and Token Request

The cert-manager csi-driver is a CSI driver that allows Pods to mount cert-manager certificate key pairs as volumes. By default, the CSI driver will create CertificateRequests so the driver behaves as the requester.

We can use the --use-token-request flag which allows the driver to impersonate the mounting Pod's ServiceAccount, allowing the Pod to become the requester. By doing this, we are able to write complex policy rules based on the identity of the deployments which are ingesting these key pairs.

To get started, first install the CSI driver.

On this page