Limit dnsNames

Some applications will not accept certificates containing more than a single name. This policy ensures that each certificate request contains only one DNS name entry.

Policy Definition

/cert-manager/limit-dnsnames.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: cert-manager-limit-dnsnames
 5  annotations:
 6    policies.kyverno.io/title: Limit dnsNames
 7    policies.kyverno.io/category: Cert-Manager
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.3.6
10    policies.kyverno.io/subject: Certificate
11    policies.kyverno.io/description: >-
12      Some applications will not accept certificates containing more than a single name.
13      This policy ensures that each certificate request contains
14      only one DNS name entry.      
15spec:
16  validationFailureAction: audit
17  background: false
18  rules:
19  - name: limit-dnsnames
20    match:
21      resources:
22        kinds:
23        - Certificate
24    preconditions:
25      any:
26      - key: "{{request.object.spec.dnsNames | length(@)}}"
27        operator: GreaterThan
28        value: "1"
29    validate:
30      message: Only one dnsNames entry allowed per certificate request.
31      deny: {}

Create policy issue