From 7f9d2eda8282b6d60496cbbf05fcf13ff0ccb276 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Thu, 8 Jul 2021 02:18:13 -0400
Subject: [PATCH] limit warnings to requests that would otherwise succeed,
 reformat warning message

---
 .../admission/admission.go                       | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/staging/src/k8s.io/pod-security-admission/admission/admission.go b/staging/src/k8s.io/pod-security-admission/admission/admission.go
index d71d9ba9463..6fbf2c492ae 100644
--- a/staging/src/k8s.io/pod-security-admission/admission/admission.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/admission.go
@@ -392,10 +392,18 @@ func (a *Admission) EvaluatePod(ctx context.Context, namespaceName string, podMe
 		auditAnnotations["audit"] = result.ForbiddenDetail()
 	}
 
-	// TODO: reuse previous evaluation if warn level+version is the same as audit or enforce level+version
-	if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Warn, podMetadata, podSpec)); !result.Allowed {
-		// TODO: Craft a better user-facing warning message
-		response.Warnings = append(response.Warnings, fmt.Sprintf("Pod violates PodSecurity profile %s: %s", nsPolicy.Warn.String(), result.ForbiddenDetail()))
+	// avoid adding warnings to a request we're already going to reject with an error
+	if response.Allowed {
+		// TODO: reuse previous evaluation if warn level+version is the same as audit or enforce level+version
+		if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Warn, podMetadata, podSpec)); !result.Allowed {
+			// TODO: Craft a better user-facing warning message
+			response.Warnings = append(response.Warnings, fmt.Sprintf(
+				"would violate %q version of %q PodSecurity profile: %s",
+				nsPolicy.Warn.Version.String(),
+				nsPolicy.Warn.Level,
+				result.ForbiddenDetail(),
+			))
+		}
 	}
 
 	response.AuditAnnotations = auditAnnotations