Skip to content

Approver Policy Enterprise common configuration scenarios

This page describes common use cases and integrations that might help to bolster your certificate security.

Deny all by Default

Usually you want your firewall rules to block/deny all requests unless they appear on the allow list. In Approver Policy Enterprise, you can achieve this by creating a policy that is impossible to satisfy and binding that policy to all identities in the cluster.

A request is only denied if it meets none of the policy profile requirements it is bound to. In other words, if another policy allows the request then it will be approved. By creating a deny all policy, no request is kept in a state where it has neither an approved or denied condition.

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-policy:deny-all
rules:
  - apiGroups: ["policy.cert-manager.io"]
    resources: ["certificaterequestpolicies"]
    verbs: ["use"]
    resourceNames: ["deny-all"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-policy:deny-all
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-policy:deny-all
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
  name: deny-all
spec:
  constraints:
    privateKey:
      # This is an impossible constraint!
      algorithm: RSA
      maxSize: 0
  selector:
    # Select on all issuers.
    issuerRef: {}
EOF

Combining Policy with the CSI Driver and Token Request

The cert-manager CSI Driver allows Pods to mount cert-manager certificate key pairs as volumes. By default, the CSI driver creates certificate requests so the driver behaves as the requester.

You can use the --use-token-request flag which allows the driver to impersonate the mounting Pod's Service Account. This allows the Pod to become the requester. You can then write complex policy rules based on the identity of the deployments that ingest the key pairs.

To get started, first install the CSI Driver.

Related links