Approver cannot find applicable policy

[tjungbauer]

Hello,

I am somehow stuck in the configuration of Cert-Manager and the Approver.
We would like to use the OpenShift Cert-Manager Operator to work with certificates.
The approver shall approve requests accordingly. For testing I have created a policy that should allow everything:

apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
  name: test
spec:
  allowed:
    commonName:
      value: '*'
    dnsNames:
      values:
        - '*'
    emailAddresses:
      values:
        - '*'
    ipAddresses:
      values:
        - '*'
    subject:
      countries:
        values:
          - '*'
      localities:
        values:
          - '*'
      organizationalUnits:
        values:
          - '*'
      organizations:
        values:
          - '*'
      postalCodes:
        values:
          - '*'
      provinces:
        values:
          - '*'
      serialNumber:
        value: '*'
      streetAddresses:
        values:
          - '*'
    uris:
      values:
        - '*'
    usages:
      - signing
      - digital signature
      - content commitment
      - key encipherment
      - key agreement
      - data encipherment
      - cert sign
      - crl sign
      - encipher only
      - decipher only
      - any
      - server auth
      - client auth
      - code signing
      - email protection
      - s/mime
      - ipsec end system
      - ipsec tunnel
      - ipsec user
      - timestamping
      - ocsp signing
      - microsoft sgc
      - netscape sgc
  selector:
    issuerRef: {}
status:
  conditions:
    - lastTransitionTime: '2025-04-29T09:11:49Z'
      message: CertificateRequestPolicy is ready for approval evaluation
      observedGeneration: 3
      reason: Ready
      status: 'True'
      type: Ready

When I try to create a Certificate such as:

... 
spec:
  commonName: cert30.apps.dev.my-cluster.com
  dnsNames:
    - cert30.apps.dev.my-cluster.com
  issuerRef:
    group: ejbca-issuer.keyfactor.com
    kind: ClusterIssuer
    name: clusterissuer-ejbca
  privateKey:
    algorithm: RSA
    size: 4096
  secretName: test-cert-30
  subject:
    countries:
      - AT
    organizations:
      - ORG
  usages:
    - server auth

I would assume that the approver should approve the request, but it does not.
The approver pod sees the request but complains that the request is not applicable for any policy:

time=2025-05-22T08:24:05.069Z level=DEBUG+3 msg="Request is not applicable for any policy so ignoring" logger=controller-manager/events type=Normal object="{Kind:CertificateRequest Namespace:openshift-gitops Name:test-cert-30-1 UID:ab934861-efe0-4831-9aa8-9bf5fb7d0929 APIVersion:cert-manager.io/v1 ResourceVersion:427974104 FieldPath:}" reason=Unprocessed

Roles should be fine, if I change something there, the Pod immediately complains that permissions are missing.

Do I miss anything in the configuration? Is there a way to debug the policy evaluation?

many thanks in advance for your help!

[opentokix]

I am seeing the exact same behavior.
version: 0.21.0

[opentokix]

@tjungbauer Have you also created the rbac with the "use" verb for the policy in question?

The thing is the system requesting the cert, will also need the permission to USE that policy.

Here is the full docs and example.
https://cert-manager.io/docs/policy/approval/approver-policy/

If you look at these ClusteRole and the rolebinding. The Role is "use" on the NAMED policy (can not use '*') and then that role is bound to system:authenticated.

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-policy:hello-world
rules:
  - apiGroups: ["policy.cert-manager.io"]
    resources: ["certificaterequestpolicies"]
    verbs: ["use"]
    # Name of the CertificateRequestPolicies to be used.
    resourceNames: ["test-policy"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-policy:hello-world
roleRef:
# ClusterRole or Role _must_ be bound to a user for the policy to be considered.
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-policy:hello-world
subjects:
# The users who should be bound to the policies defined.
# Note that in the case of users creating Certificate resources, cert-manager
# is the entity that is creating the actual CertificateRequests, and so the
# cert-manager controller's
# Service Account should be bound instead.
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

[tjungbauer]

Hi,

yes and that was exactly my problem back then.
I also wrote a little guide for OpenShift deployments maybe thats helpful too: https://blog.stderr.at/openshift/2025/06/cert-manager-policy-approver-in-openshift/#_rendered_certificaterequestpolicy_and_rolebinding