loosen rbac for get cert - avoid checking every DNS in SAN #444
+12
−30
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previous rbac for get certificate:
Problem: this limits a lot of the freedom of how DNS in SAN can be defined, especially when 'service_name' does not need to be existent in SAN DNS, even just missing in one of the entries.
Change: loosen the rbac of get cert to just match against CN. For DNS list in SAN, we will skip checking against kms auth identity.