mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-29 14:37:00 +00:00
podsecurity: add an annotation informing about which policy was enforced
This commit is contained in:
parent
65f88c675c
commit
037daeb4fd
@ -432,6 +432,8 @@ func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPoli
|
|||||||
|
|
||||||
response := allowedResponse()
|
response := allowedResponse()
|
||||||
if enforce {
|
if enforce {
|
||||||
|
auditAnnotations[api.EnforcedPolicyAnnotationKey] = nsPolicy.Enforce.String()
|
||||||
|
|
||||||
if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Enforce, podMetadata, podSpec)); !result.Allowed {
|
if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Enforce, podMetadata, podSpec)); !result.Allowed {
|
||||||
response = forbiddenResponse(fmt.Sprintf(
|
response = forbiddenResponse(fmt.Sprintf(
|
||||||
"pod violates PodSecurity %q: %s",
|
"pod violates PodSecurity %q: %s",
|
||||||
|
@ -45,5 +45,6 @@ const (
|
|||||||
WarnVersionLabel = labelPrefix + "warn-version"
|
WarnVersionLabel = labelPrefix + "warn-version"
|
||||||
|
|
||||||
ExemptionReasonAnnotationKey = "exempt"
|
ExemptionReasonAnnotationKey = "exempt"
|
||||||
AuditViolationsAnnotationKey = "audit-violations"
|
AuditViolationsAnnotationKey = "audit-violations"
|
||||||
|
EnforcedPolicyAnnotationKey = "enforce-policy"
|
||||||
)
|
)
|
||||||
|
Loading…
Reference in New Issue
Block a user