Skip to content

feat: add SubjectExpression CEL field to Identity for dynamic keyless signing #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jzeng4 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add SubjectExpression CEL field to Identity for dynamic keyless signing #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8129dcf
feat: add SubjectExpression CEL field to Identity for dynamic keyless…
jzeng4 Mar 13, 2026
6581e2f
Merge branch 'main' into juzeng/cel
fjogeleit Apr 15, 2026
eb63c3d
chore: regenerate CRDs, helm charts, and docs for SubjectExpression f…
jzeng4 Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions api/policies.kyverno.io/v1alpha1/imagevalidating_policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -473,6 +473,9 @@ type Certificate struct {
// log.
// Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
// apply a regexp for matching.
// For a dynamic subject, use SubjectExpression which accepts a CEL expression
// evaluated at admission time. The result is used as a regexp match against the
// certificate SAN URI, so it can be either a literal string or a regexp pattern.
type Identity struct {
// Issuer defines the issuer for this identity.
// +optional
Expand All @@ -486,6 +489,10 @@ type Identity struct {
// SubjectRegExp specifies a regular expression to match the subject for this identity.
// +optional
SubjectRegExp string `json:"subjectRegExp,omitempty"`
// SubjectExpression defines a CEL expression that evaluates to the subject string,
// matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
// +optional
SubjectExpression string `json:"subjectExpression,omitempty"`
}

// Attestation defines the identification details of the metadata that has to be verified
Expand Down
48 changes: 48 additions & 0 deletions charts/kyverno-api/templates/crds/policies.kyverno.io_imagevalidatingpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,9 @@ spec:
log.
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
apply a regexp for matching.
For a dynamic subject, use SubjectExpression which accepts a CEL expression
evaluated at admission time. The result is used as a regexp match against the
certificate SAN URI, so it can be either a literal string or a regexp pattern.
properties:
issuer:
description: Issuer defines the issuer for this
Expand All @@ -232,6 +235,11 @@ spec:
description: Subject defines the subject for this
identity.
type: string
subjectExpression:
description: |-
SubjectExpression defines a CEL expression that evaluates to the subject string,
matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
type: string
subjectRegExp:
description: SubjectRegExp specifies a regular
expression to match the subject for this identity.
Expand Down Expand Up @@ -1293,6 +1301,9 @@ spec:
log.
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
apply a regexp for matching.
For a dynamic subject, use SubjectExpression which accepts a CEL expression
evaluated at admission time. The result is used as a regexp match against the
certificate SAN URI, so it can be either a literal string or a regexp pattern.
properties:
issuer:
description: Issuer defines the
Expand All @@ -1307,6 +1318,11 @@ spec:
description: Subject defines the
subject for this identity.
type: string
subjectExpression:
description: |-
SubjectExpression defines a CEL expression that evaluates to the subject string,
matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
type: string
subjectRegExp:
description: SubjectRegExp specifies
a regular expression to match
Expand Down Expand Up @@ -2514,6 +2530,9 @@ spec:
log.
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
apply a regexp for matching.
For a dynamic subject, use SubjectExpression which accepts a CEL expression
evaluated at admission time. The result is used as a regexp match against the
certificate SAN URI, so it can be either a literal string or a regexp pattern.
properties:
issuer:
description: Issuer defines the issuer for this
Expand All @@ -2527,6 +2546,11 @@ spec:
description: Subject defines the subject for this
identity.
type: string
subjectExpression:
description: |-
SubjectExpression defines a CEL expression that evaluates to the subject string,
matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
type: string
subjectRegExp:
description: SubjectRegExp specifies a regular
expression to match the subject for this identity.
Expand Down Expand Up @@ -3588,6 +3612,9 @@ spec:
log.
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
apply a regexp for matching.
For a dynamic subject, use SubjectExpression which accepts a CEL expression
evaluated at admission time. The result is used as a regexp match against the
certificate SAN URI, so it can be either a literal string or a regexp pattern.
properties:
issuer:
description: Issuer defines the
Expand All @@ -3602,6 +3629,11 @@ spec:
description: Subject defines the
subject for this identity.
type: string
subjectExpression:
description: |-
SubjectExpression defines a CEL expression that evaluates to the subject string,
matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
type: string
subjectRegExp:
description: SubjectRegExp specifies
a regular expression to match
Expand Down Expand Up @@ -4808,6 +4840,9 @@ spec:
log.
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
apply a regexp for matching.
For a dynamic subject, use SubjectExpression which accepts a CEL expression
evaluated at admission time. The result is used as a regexp match against the
certificate SAN URI, so it can be either a literal string or a regexp pattern.
properties:
issuer:
description: Issuer defines the issuer for this
Expand All @@ -4821,6 +4856,11 @@ spec:
description: Subject defines the subject for this
identity.
type: string
subjectExpression:
description: |-
SubjectExpression defines a CEL expression that evaluates to the subject string,
matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
type: string
subjectRegExp:
description: SubjectRegExp specifies a regular
expression to match the subject for this identity.
Expand Down Expand Up @@ -5882,6 +5922,9 @@ spec:
log.
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
apply a regexp for matching.
For a dynamic subject, use SubjectExpression which accepts a CEL expression
evaluated at admission time. The result is used as a regexp match against the
certificate SAN URI, so it can be either a literal string or a regexp pattern.
properties:
issuer:
description: Issuer defines the
Expand All @@ -5896,6 +5939,11 @@ spec:
description: Subject defines the
subject for this identity.
type: string
subjectExpression:
description: |-
SubjectExpression defines a CEL expression that evaluates to the subject string,
matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
type: string
subjectRegExp:
description: SubjectRegExp specifies
a regular expression to match
Expand Down
32 changes: 32 additions & 0 deletions charts/kyverno-api/templates/crds/policies.kyverno.io_namespacedimagevalidatingpolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,9 @@ spec:
log.
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
apply a regexp for matching.
For a dynamic subject, use SubjectExpression which accepts a CEL expression
evaluated at admission time. The result is used as a regexp match against the
certificate SAN URI, so it can be either a literal string or a regexp pattern.
properties:
issuer:
description: Issuer defines the issuer for this
Expand All @@ -232,6 +235,11 @@ spec:
description: Subject defines the subject for this
identity.
type: string
subjectExpression:
description: |-
SubjectExpression defines a CEL expression that evaluates to the subject string,
matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
type: string
subjectRegExp:
description: SubjectRegExp specifies a regular
expression to match the subject for this identity.
Expand Down Expand Up @@ -1293,6 +1301,9 @@ spec:
log.
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
apply a regexp for matching.
For a dynamic subject, use SubjectExpression which accepts a CEL expression
evaluated at admission time. The result is used as a regexp match against the
certificate SAN URI, so it can be either a literal string or a regexp pattern.
properties:
issuer:
description: Issuer defines the
Expand All @@ -1307,6 +1318,11 @@ spec:
description: Subject defines the
subject for this identity.
type: string
subjectExpression:
description: |-
SubjectExpression defines a CEL expression that evaluates to the subject string,
matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
type: string
subjectRegExp:
description: SubjectRegExp specifies
a regular expression to match
Expand Down Expand Up @@ -2513,6 +2529,9 @@ spec:
log.
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
apply a regexp for matching.
For a dynamic subject, use SubjectExpression which accepts a CEL expression
evaluated at admission time. The result is used as a regexp match against the
certificate SAN URI, so it can be either a literal string or a regexp pattern.
properties:
issuer:
description: Issuer defines the issuer for this
Expand All @@ -2526,6 +2545,11 @@ spec:
description: Subject defines the subject for this
identity.
type: string
subjectExpression:
description: |-
SubjectExpression defines a CEL expression that evaluates to the subject string,
matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
type: string
subjectRegExp:
description: SubjectRegExp specifies a regular
expression to match the subject for this identity.
Expand Down Expand Up @@ -3587,6 +3611,9 @@ spec:
log.
Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp
apply a regexp for matching.
For a dynamic subject, use SubjectExpression which accepts a CEL expression
evaluated at admission time. The result is used as a regexp match against the
certificate SAN URI, so it can be either a literal string or a regexp pattern.
properties:
issuer:
description: Issuer defines the
Expand All @@ -3601,6 +3628,11 @@ spec:
description: Subject defines the
subject for this identity.
type: string
subjectExpression:
description: |-
SubjectExpression defines a CEL expression that evaluates to the subject string,
matched as a regexp against the certificate SAN URI. Mutually exclusive with SubjectRegExp.
type: string
subjectRegExp:
description: SubjectRegExp specifies
a regular expression to match
Expand Down
Loading