Support LocalSubjectAccessReview if namespace option is non-empty

[jkroepke]

Is your feature request related to a problem? Please describe.
I'm looking into the cert-manager permissions requirements at cluster-scope and would like to reduce them to a namespace, if possible.

Currently, the cert-manager controller depends on a cluster-scope SubjectAccessReview which also requires cluster-wide permissions. The need of the is described here: https://github.com/cert-manager/cert-manager/blob/c376bc495c8bb7f710155634ca919e65e134b33e/design/20190708.certificate-request-crd.md#rbac

Access to LocalSubjectAccessReviews can be granted by an Role and does not need a ClusterRole

cert-manager/pkg/controller/certificatesigningrequests/sync.go

Lines 181 to 204 in c376bc4

	resp, err := c.sarClient.Create(ctx, &authzv1.SubjectAccessReview{
	Spec: authzv1.SubjectAccessReviewSpec{
	User: csr.Spec.Username,
	Groups: csr.Spec.Groups,
	Extra: extra,
	UID: csr.Spec.UID,
	ResourceAttributes: &authzv1.ResourceAttributes{
	Group: certmanager.GroupName,
	Resource: "signers",
	Verb: "reference",
	Namespace: issuerNamespace,
	Name: name,
	Version: "*",
	},
	},
	}, metav1.CreateOptions{})
	if err != nil {
	return false, err
	}
	if resp.Status.Allowed {
	return true, nil
	}

Describe the solution you'd like
If cert-manager runs in namespace only mode, LocalSubjectAccessReview could be used instead SubjectAccessReview. Since request permissions for the local namespace is sufficent.

Describe alternatives you've considered
N/A

Additional context

Environment details (remove if not applicable):

• Kubernetes version: 1.28
• Cloud-provider/provisioner: AKS
• cert-manager version: 1.14
• Install method: e.g. helm

/kind feature

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[jkroepke]

yippe, still relevant

[cert-manager-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

[jkroepke]

yippe, still relevant

[cert-manager-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close

[cert-manager-prow]

@cert-manager-bot: Closing this issue.

Details

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[jkroepke]

crap bot

[wallrj]

/reopen