From 037daeb4fdb9daf74dc18705af32673a100b8a8f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Tue, 26 Oct 2021 13:52:22 +0200
Subject: [PATCH] podsecurity: add an annotation informing about which policy
 was enforced

---
 .../src/k8s.io/pod-security-admission/admission/admission.go   | 2 ++
 staging/src/k8s.io/pod-security-admission/api/constants.go     | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/pod-security-admission/admission/admission.go b/staging/src/k8s.io/pod-security-admission/admission/admission.go
index 00f3b9beacb..722aee1955d 100644
--- a/staging/src/k8s.io/pod-security-admission/admission/admission.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/admission.go
@@ -432,6 +432,8 @@ func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPoli
 
 	response := allowedResponse()
 	if enforce {
+		auditAnnotations[api.EnforcedPolicyAnnotationKey] = nsPolicy.Enforce.String()
+
 		if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Enforce, podMetadata, podSpec)); !result.Allowed {
 			response = forbiddenResponse(fmt.Sprintf(
 				"pod violates PodSecurity %q: %s",
diff --git a/staging/src/k8s.io/pod-security-admission/api/constants.go b/staging/src/k8s.io/pod-security-admission/api/constants.go
index efabfb7535b..9d87ad59b17 100644
--- a/staging/src/k8s.io/pod-security-admission/api/constants.go
+++ b/staging/src/k8s.io/pod-security-admission/api/constants.go
@@ -45,5 +45,6 @@ const (
 	WarnVersionLabel    = labelPrefix + "warn-version"
 
 	ExemptionReasonAnnotationKey = "exempt"
-	AuditViolationsAnnotationKey  = "audit-violations"
+	AuditViolationsAnnotationKey = "audit-violations"
+	EnforcedPolicyAnnotationKey  = "enforce-policy"
 )