Using custom certificate authorities
Custom Certificate Authorities for Policy registries
It is possible to specify and configure the Certificate Authorities that a
PolicyServer uses when pulling the ClusterAdmissionPolicy artifacts from the
policy registry. The following spec fields will configure the deployed
policy-server executable to that effect.
Insecure sources
the default behavior of kwctl and policy-server is to
enforce HTTPS with trusted certificates matching the system CA store. You can
interact with registries using untrusted certificates or even without TLS, by
using the insecure_sources setting. This approach is highly discouraged
for environments closer to production.
|
To configure the PolicyServer to accept insecure connections to specific
registries, use the spec.insecureSources field of PolicyServer. This field
accepts a list of URIs to be regarded as insecure. Example:
spec:
insecureSources:
- localhost:5000
- host.k3d.internal:5000See here for more
information on how the policy-server executable treats them.
Custom Certificate Authorities
To configure the PolicyServer with a custom certificate chain of 1 or more
certificates for a specific URI, use the field spec.sourceAuthorities.
This field is a map of URIs, each with its own list of strings that contain PEM encoded certificates. Example:
spec:
sourceAuthorities:
"registry-pre.example.com":
- |
-----BEGIN CERTIFICATE-----
ca-pre1-1 PEM cert
-----END CERTIFICATE-----
- |
-----BEGIN CERTIFICATE-----
ca-pre1-2 PEM cert
-----END CERTIFICATE-----
"registry-pre2.example.com:5500":
- |
-----BEGIN CERTIFICATE-----
ca-pre2 PEM cert
-----END CERTIFICATE-----See here for more
information on how the policy-server executable treats them.