github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 19:56:01 +00:00
Code Issues Projects Releases Wiki Activity

podsecurity: add an annotation informing about which policy was enforced

Browse Source
This commit is contained in:
Stanislav Laznicka 2021-10-26 13:52:22 +02:00
parent 65f88c675c
commit 037daeb4fd
No known key found for this signature in database
GPG Key ID: C98C414936B1A7F3
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
staging/src/k8s.io/pod-security-admission/admission/admission.go
View File

@ -432,6 +432,8 @@ func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPoli
response := allowedResponse()
if enforce {
auditAnnotations[api.EnforcedPolicyAnnotationKey] = nsPolicy.Enforce.String()
if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Enforce, podMetadata, podSpec)); !result.Allowed {
response = forbiddenResponse(fmt.Sprintf(
"pod violates PodSecurity %q: %s",

3
staging/src/k8s.io/pod-security-admission/api/constants.go
View File

@ -45,5 +45,6 @@ const (
WarnVersionLabel = labelPrefix + "warn-version"
ExemptionReasonAnnotationKey = "exempt"
AuditViolationsAnnotationKey = "audit-violations"
AuditViolationsAnnotationKey = "audit-violations"
EnforcedPolicyAnnotationKey = "enforce-policy"
)