Skip to content

feat: add SubjectExpression CEL field to Identity for dynamic keyless signing#64

Open
jzeng4 wants to merge 3 commits intokyverno:mainfrom
jzeng4:juzeng/cel
Open

feat: add SubjectExpression CEL field to Identity for dynamic keyless signing#64
jzeng4 wants to merge 3 commits intokyverno:mainfrom
jzeng4:juzeng/cel

Conversation

@jzeng4
Copy link
Copy Markdown

@jzeng4 jzeng4 commented Mar 13, 2026
edited
Loading

Summary

  • Add a new optional subjectExpression field to the Identity struct in ImageValidatingPolicy
  • The field accepts a CEL expression evaluated at admission time; the result is used as a regexp match against the certificate SAN URI
  • This is a backward-compatible addition: existing subject, subjectRegExp, issuer, and issuerRegExp fields are unchanged
  • Follows the message/messageExpression convention used elsewhere in Kyverno

Motivation

When verifying keyless (Fulcio/Sigstore) image signatures in multi-tenant clusters, the expected certificate SAN URI often needs to be derived from runtime context — for example, the namespace of the requesting object or the image reference itself. The static subjectRegExp field cannot express this.

Related issue

Fixes kyverno/kyverno#15398

Next PR: kyverno/kyverno#15479

Example

identities:
  - issuer: https://token.actions.githubusercontent.com
    # derive the subject regexp from the namespace at admission time
    subjectExpression: '"^https://github\\.com/my-org/" + object.metadata.namespace + "/.*"'

Test plan

  • Unit tests in pkg/imageverification/variables/attestors_test.go cover static values, subject-from-namespace, subject-from-image, and error cases
  • No changes to existing field types — API compatibility preserved

@jzeng4 jzeng4 force-pushed the juzeng/cel branch 2 times, most recently from 3faccc1 to 37ae598 Compare March 13, 2026 23:57
@jzeng4
feat: add SubjectExpression CEL field to Identity for dynamic keyless…
8129dcf 
… signing

Add a new optional SubjectExpression field to the Identity struct, which accepts a CEL expression evaluated at admission time. The result is used as a regexp match against the certificate SAN URI, enabling dynamic subject matching (e.g. based on namespace or image name) without changing existing Subject/SubjectRegExp fields.

Signed-off-by: Junyuan Zeng <jzeng04@gmail.com>
@jzeng4 jzeng4 mentioned this pull request Mar 14, 2026
Open
9 tasks
@jzeng4
Copy link
Copy Markdown
Author

jzeng4 commented Mar 21, 2026

@eddycharly Could you take a look and merge when you get a chance? This has been approved by @fjogeleit. Thanks!

NETIZEN-11 added a commit to NETIZEN-11/kyverno that referenced this pull request Mar 29, 2026
@NETIZEN-11
feat(api): change Identity.Subject and SubjectRegExp to *StringOrExpr…
19dfbd1 
…ession

Update the Identity struct in the kyverno/api local fork so that
Subject and SubjectRegExp accept either a static string value or a
CEL expression, matching the pattern already used by cert/certChain.

- Subject string  -> Subject *StringOrExpression
- SubjectRegExp string -> SubjectRegExp *StringOrExpression
- Update DeepCopyInto to handle the new pointer fields
- Add go.mod replace directive pointing to local fork

Implements: kyverno/api#64
Related: kyverno#15398
Signed-off-by: NETIZEN_11 <niteshkumar121411@gmail.com>
NETIZEN-11 added a commit to NETIZEN-11/kyverno that referenced this pull request Mar 30, 2026
@NETIZEN-11
fix: address Copilot review comments on CEL identity expressions PR
dce7f81 
- Remove local ../kyverno-api replace directive; use jzeng4/api VCS
  pseudo-version (kyverno/api#64) so CI can resolve the dependency
- Adapt code to jzeng4/api API design: SubjectExpression string field
  instead of Subject/SubjectRegExp as *StringOrExpression
- Fix CompileAttestors: remove identity compilation using wrong env;
  identity expressions are compiled via CompileAttestorIdentities with
  the dedicated NewIdentityExprEnv() only
- Fix identPath in CompileAttestorIdentities: add missing 'cosign'
  segment so field errors point to correct path
- Remove stale 'no-op' NOTE comment from CompileAttestorIdentities
- Fix ImageKey constant: alias ImageDataKey instead of duplicating
  the string literal to avoid ambiguity
- Update all tests to use plain string fields and SubjectExpression
NETIZEN-11 added a commit to NETIZEN-11/kyverno that referenced this pull request Mar 30, 2026
@NETIZEN-11
feat(api): change Identity.Subject and SubjectRegExp to *StringOrExpr…
d697529 
…ession

Update the Identity struct in the kyverno/api local fork so that
Subject and SubjectRegExp accept either a static string value or a
CEL expression, matching the pattern already used by cert/certChain.

- Subject string  -> Subject *StringOrExpression
- SubjectRegExp string -> SubjectRegExp *StringOrExpression
- Update DeepCopyInto to handle the new pointer fields
- Add go.mod replace directive pointing to local fork

Implements: kyverno/api#64
Related: kyverno#15398
Signed-off-by: NETIZEN_11 <niteshkumar121411@gmail.com>
NETIZEN-11 added a commit to NETIZEN-11/kyverno that referenced this pull request Mar 30, 2026
@NETIZEN-11
fix: address Copilot review comments on CEL identity expressions PR
d88f88d 
- Remove local ../kyverno-api replace directive; use jzeng4/api VCS
  pseudo-version (kyverno/api#64) so CI can resolve the dependency
- Adapt code to jzeng4/api API design: SubjectExpression string field
  instead of Subject/SubjectRegExp as *StringOrExpression
- Fix CompileAttestors: remove identity compilation using wrong env;
  identity expressions are compiled via CompileAttestorIdentities with
  the dedicated NewIdentityExprEnv() only
- Fix identPath in CompileAttestorIdentities: add missing 'cosign'
  segment so field errors point to correct path
- Remove stale 'no-op' NOTE comment from CompileAttestorIdentities
- Fix ImageKey constant: alias ImageDataKey instead of duplicating
  the string literal to avoid ambiguity
- Update all tests to use plain string fields and SubjectExpression

Signed-off-by: NETIZEN_11 <niteshkumar121411@gmail.com>
NETIZEN-11 added a commit to NETIZEN-11/kyverno that referenced this pull request Mar 30, 2026
@NETIZEN-11
feat(api): change Identity.Subject and SubjectRegExp to *StringOrExpr…
f270937 
…ession

Update the Identity struct in the kyverno/api local fork so that
Subject and SubjectRegExp accept either a static string value or a
CEL expression, matching the pattern already used by cert/certChain.

- Subject string  -> Subject *StringOrExpression
- SubjectRegExp string -> SubjectRegExp *StringOrExpression
- Update DeepCopyInto to handle the new pointer fields
- Add go.mod replace directive pointing to local fork

Implements: kyverno/api#64
Related: kyverno#15398
Signed-off-by: NETIZEN_11 <niteshkumar121411@gmail.com>
NETIZEN-11 added a commit to NETIZEN-11/kyverno that referenced this pull request Mar 30, 2026
@NETIZEN-11
fix: address Copilot review comments on CEL identity expressions PR
87f5f55 
- Remove local ../kyverno-api replace directive; use jzeng4/api VCS
  pseudo-version (kyverno/api#64) so CI can resolve the dependency
- Adapt code to jzeng4/api API design: SubjectExpression string field
  instead of Subject/SubjectRegExp as *StringOrExpression
- Fix CompileAttestors: remove identity compilation using wrong env;
  identity expressions are compiled via CompileAttestorIdentities with
  the dedicated NewIdentityExprEnv() only
- Fix identPath in CompileAttestorIdentities: add missing 'cosign'
  segment so field errors point to correct path
- Remove stale 'no-op' NOTE comment from CompileAttestorIdentities
- Fix ImageKey constant: alias ImageDataKey instead of duplicating
  the string literal to avoid ambiguity
- Update all tests to use plain string fields and SubjectExpression

Signed-off-by: NETIZEN_11 <niteshkumar121411@gmail.com>
@jzeng4
Copy link
Copy Markdown
Author

jzeng4 commented Apr 11, 2026

@fjogeleit — could you please share the plan or timeline for merging and releasing this version with the PR included?

Thank you!

@realshuting realshuting enabled auto-merge (squash) April 14, 2026 03:07
auto-merge was automatically disabled April 20, 2026 17:50

Head branch was pushed to by a user without write access

@jzeng4
chore: regenerate CRDs, helm charts, and docs for SubjectExpression f…
eb63c3d 
…ield

Signed-off-by: Junyuan Zeng <jzeng04@gmail.com>
@jzeng4
Copy link
Copy Markdown
Author

jzeng4 commented Apr 20, 2026

@aerosouund @JimBugwadia @lucchmielowski @fjogeleit

Hi team, could one of you approve the pending workflow runs? I force-pushed to add the missing make codegen output (regenerated CRDs, helm charts, and API docs) that was causing the verify-codegen check to fail. The only new commit is the codegen output — no logic changes. Thanks!

@jzeng4
Copy link
Copy Markdown
Author

jzeng4 commented Apr 21, 2026

@aerosouund @JimBugwadia @lucchmielowski @fjogeleit

All checks are passing now. Could you help merge this when you get a chance? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JimBugwadia JimBugwadia JimBugwadia approved these changes

@lucchmielowski lucchmielowski lucchmielowski approved these changes

@fjogeleit fjogeleit fjogeleit approved these changes

@aerosouund aerosouund aerosouund approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: CEL Expression Support for Identity Fields in ImageValidatingPolicy

5 participants

@jzeng4 @JimBugwadia @lucchmielowski @fjogeleit @aerosouund