Merge pull request #58807 from CaoShuFeng/audit_annotation_rbac

Automatic merge from submit-queue (batch tested with PRs 61183, 58807). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add RBAC information to audit logs Depends on: https://github.com/kubernetes/kubernetes/pull/58806 **Release note**: ```release-note RBAC information is included in audit logs via audit.Event annotations: authorization.k8s.io/decision = {allow, forbid} authorization.k8s.io/reason = human-readable reason for the decision ```
2025-09-24 19:38:02 +00:00 · 2018-04-06 19:31:04 -07:00
parent 1d030799e3 440aab5b86
commit 58c0748b4d
6 changed files with 223 additions and 51 deletions
--- a/plugin/pkg/auth/authorizer/rbac/rbac.go
+++ b/plugin/pkg/auth/authorizer/rbac/rbac.go
@@ -62,7 +62,7 @@ type authorizingVisitor struct {
 func (v *authorizingVisitor) visit(source fmt.Stringer, rule *rbac.PolicyRule, err error) bool {
 	if rule != nil && RuleAllows(v.requestAttributes, rule) {
 		v.allowed = true
-		v.reason = fmt.Sprintf("allowed by %s", source.String())
+		v.reason = fmt.Sprintf("RBAC: allowed by %s", source.String())
 		return false
 	}
 	if err != nil {
@@ -120,7 +120,7 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut

 	reason := ""
 	if len(ruleCheckingVisitor.errors) > 0 {
-		reason = fmt.Sprintf("%v", utilerrors.NewAggregate(ruleCheckingVisitor.errors))
+		reason = fmt.Sprintf("RBAC: %v", utilerrors.NewAggregate(ruleCheckingVisitor.errors))
 	}
 	return authorizer.DecisionNoOpinion, reason, nil
 }