podsecurity: add an annotation informing about which policy was enforced

This commit is contained in:
Stanislav Laznicka 2021-10-26 13:52:22 +02:00
parent 65f88c675c
commit 037daeb4fd
No known key found for this signature in database
GPG Key ID: C98C414936B1A7F3
2 changed files with 4 additions and 1 deletions

View File

@ -432,6 +432,8 @@ func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPoli
response := allowedResponse()
if enforce {
auditAnnotations[api.EnforcedPolicyAnnotationKey] = nsPolicy.Enforce.String()
if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Enforce, podMetadata, podSpec)); !result.Allowed {
response = forbiddenResponse(fmt.Sprintf(
"pod violates PodSecurity %q: %s",

View File

@ -45,5 +45,6 @@ const (
WarnVersionLabel = labelPrefix + "warn-version"
ExemptionReasonAnnotationKey = "exempt"
AuditViolationsAnnotationKey = "audit-violations"
AuditViolationsAnnotationKey = "audit-violations"
EnforcedPolicyAnnotationKey = "enforce-policy"
)