feat: add SubjectExpression CEL field to Identity for dynamic keyless signing#64
Open
jzeng4 wants to merge 1 commit intokyverno:mainfrom
Open
feat: add SubjectExpression CEL field to Identity for dynamic keyless signing#64jzeng4 wants to merge 1 commit intokyverno:mainfrom
jzeng4 wants to merge 1 commit intokyverno:mainfrom
Conversation
jzeng4
force-pushed
the
juzeng/cel
branch
2 times, most recently
from
3faccc1 to
37ae598
Compare
… signing Add a new optional SubjectExpression field to the Identity struct, which accepts a CEL expression evaluated at admission time. The result is used as a regexp match against the certificate SAN URI, enabling dynamic subject matching (e.g. based on namespace or image name) without changing existing Subject/SubjectRegExp fields. Signed-off-by: Junyuan Zeng <jzeng04@gmail.com>
9 tasks
fjogeleit
approved these changes
Mar 19, 2026
Author
|
@eddycharly Could you take a look and merge when you get a chance? This has been approved by @fjogeleit. Thanks! |
NETIZEN-11
added a commit
to NETIZEN-11/kyverno
that referenced
this pull request
Mar 29, 2026
…ession Update the Identity struct in the kyverno/api local fork so that Subject and SubjectRegExp accept either a static string value or a CEL expression, matching the pattern already used by cert/certChain. - Subject string -> Subject *StringOrExpression - SubjectRegExp string -> SubjectRegExp *StringOrExpression - Update DeepCopyInto to handle the new pointer fields - Add go.mod replace directive pointing to local fork Implements: kyverno/api#64 Related: kyverno#15398 Signed-off-by: NETIZEN_11 <niteshkumar121411@gmail.com>
NETIZEN-11
added a commit
to NETIZEN-11/kyverno
that referenced
this pull request
Mar 30, 2026
- Remove local ../kyverno-api replace directive; use jzeng4/api VCS pseudo-version (kyverno/api#64) so CI can resolve the dependency - Adapt code to jzeng4/api API design: SubjectExpression string field instead of Subject/SubjectRegExp as *StringOrExpression - Fix CompileAttestors: remove identity compilation using wrong env; identity expressions are compiled via CompileAttestorIdentities with the dedicated NewIdentityExprEnv() only - Fix identPath in CompileAttestorIdentities: add missing 'cosign' segment so field errors point to correct path - Remove stale 'no-op' NOTE comment from CompileAttestorIdentities - Fix ImageKey constant: alias ImageDataKey instead of duplicating the string literal to avoid ambiguity - Update all tests to use plain string fields and SubjectExpression
NETIZEN-11
added a commit
to NETIZEN-11/kyverno
that referenced
this pull request
Mar 30, 2026
…ession Update the Identity struct in the kyverno/api local fork so that Subject and SubjectRegExp accept either a static string value or a CEL expression, matching the pattern already used by cert/certChain. - Subject string -> Subject *StringOrExpression - SubjectRegExp string -> SubjectRegExp *StringOrExpression - Update DeepCopyInto to handle the new pointer fields - Add go.mod replace directive pointing to local fork Implements: kyverno/api#64 Related: kyverno#15398 Signed-off-by: NETIZEN_11 <niteshkumar121411@gmail.com>
NETIZEN-11
added a commit
to NETIZEN-11/kyverno
that referenced
this pull request
Mar 30, 2026
- Remove local ../kyverno-api replace directive; use jzeng4/api VCS pseudo-version (kyverno/api#64) so CI can resolve the dependency - Adapt code to jzeng4/api API design: SubjectExpression string field instead of Subject/SubjectRegExp as *StringOrExpression - Fix CompileAttestors: remove identity compilation using wrong env; identity expressions are compiled via CompileAttestorIdentities with the dedicated NewIdentityExprEnv() only - Fix identPath in CompileAttestorIdentities: add missing 'cosign' segment so field errors point to correct path - Remove stale 'no-op' NOTE comment from CompileAttestorIdentities - Fix ImageKey constant: alias ImageDataKey instead of duplicating the string literal to avoid ambiguity - Update all tests to use plain string fields and SubjectExpression Signed-off-by: NETIZEN_11 <niteshkumar121411@gmail.com>
NETIZEN-11
added a commit
to NETIZEN-11/kyverno
that referenced
this pull request
Mar 30, 2026
…ession Update the Identity struct in the kyverno/api local fork so that Subject and SubjectRegExp accept either a static string value or a CEL expression, matching the pattern already used by cert/certChain. - Subject string -> Subject *StringOrExpression - SubjectRegExp string -> SubjectRegExp *StringOrExpression - Update DeepCopyInto to handle the new pointer fields - Add go.mod replace directive pointing to local fork Implements: kyverno/api#64 Related: kyverno#15398 Signed-off-by: NETIZEN_11 <niteshkumar121411@gmail.com>
NETIZEN-11
added a commit
to NETIZEN-11/kyverno
that referenced
this pull request
Mar 30, 2026
- Remove local ../kyverno-api replace directive; use jzeng4/api VCS pseudo-version (kyverno/api#64) so CI can resolve the dependency - Adapt code to jzeng4/api API design: SubjectExpression string field instead of Subject/SubjectRegExp as *StringOrExpression - Fix CompileAttestors: remove identity compilation using wrong env; identity expressions are compiled via CompileAttestorIdentities with the dedicated NewIdentityExprEnv() only - Fix identPath in CompileAttestorIdentities: add missing 'cosign' segment so field errors point to correct path - Remove stale 'no-op' NOTE comment from CompileAttestorIdentities - Fix ImageKey constant: alias ImageDataKey instead of duplicating the string literal to avoid ambiguity - Update all tests to use plain string fields and SubjectExpression Signed-off-by: NETIZEN_11 <niteshkumar121411@gmail.com>
Author
|
@fjogeleit — could you please share the plan or timeline for merging and releasing this version with the PR included? Thank you! |
lucchmielowski
approved these changes
Apr 13, 2026
aerosouund
approved these changes
Apr 13, 2026
JimBugwadia
approved these changes
Apr 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
subjectExpressionfield to theIdentitystruct inImageValidatingPolicysubject,subjectRegExp,issuer, andissuerRegExpfields are unchangedmessage/messageExpressionconvention used elsewhere in KyvernoMotivation
When verifying keyless (Fulcio/Sigstore) image signatures in multi-tenant clusters, the expected certificate SAN URI often needs to be derived from runtime context — for example, the namespace of the requesting object or the image reference itself. The static
subjectRegExpfield cannot express this.Related issue
Fixes kyverno/kyverno#15398
Next PR: kyverno/kyverno#15479
Example
Test plan
pkg/imageverification/variables/attestors_test.gocover static values, subject-from-namespace, subject-from-image, and error cases