github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 03:11:40 +00:00
Code Issues Projects Releases Wiki Activity

limit warnings to requests that would otherwise succeed, reformat warning message

Browse Source
This commit is contained in:
Jordan Liggitt 2021-07-08 02:18:13 -04:00
parent 36907db929
commit 7f9d2eda82
1 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
staging/src/k8s.io/pod-security-admission/admission/admission.go
View File

@ -392,10 +392,18 @@ func (a *Admission) EvaluatePod(ctx context.Context, namespaceName string, podMe
auditAnnotations["audit"] = result.ForbiddenDetail()
}
// TODO: reuse previous evaluation if warn level+version is the same as audit or enforce level+version
if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Warn, podMetadata, podSpec)); !result.Allowed {
// TODO: Craft a better user-facing warning message
response.Warnings = append(response.Warnings, fmt.Sprintf("Pod violates PodSecurity profile %s: %s", nsPolicy.Warn.String(), result.ForbiddenDetail()))
// avoid adding warnings to a request we're already going to reject with an error
if response.Allowed {
// TODO: reuse previous evaluation if warn level+version is the same as audit or enforce level+version
if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Warn, podMetadata, podSpec)); !result.Allowed {
// TODO: Craft a better user-facing warning message
response.Warnings = append(response.Warnings, fmt.Sprintf(
"would violate %q version of %q PodSecurity profile: %s",
nsPolicy.Warn.Version.String(),
nsPolicy.Warn.Level,
result.ForbiddenDetail(),
))
}
}
response.AuditAnnotations = auditAnnotations