mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 19:31:44 +00:00
limit warnings to requests that would otherwise succeed, reformat warning message
This commit is contained in:
parent
36907db929
commit
7f9d2eda82
@ -392,10 +392,18 @@ func (a *Admission) EvaluatePod(ctx context.Context, namespaceName string, podMe
|
|||||||
auditAnnotations["audit"] = result.ForbiddenDetail()
|
auditAnnotations["audit"] = result.ForbiddenDetail()
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: reuse previous evaluation if warn level+version is the same as audit or enforce level+version
|
// avoid adding warnings to a request we're already going to reject with an error
|
||||||
if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Warn, podMetadata, podSpec)); !result.Allowed {
|
if response.Allowed {
|
||||||
// TODO: Craft a better user-facing warning message
|
// TODO: reuse previous evaluation if warn level+version is the same as audit or enforce level+version
|
||||||
response.Warnings = append(response.Warnings, fmt.Sprintf("Pod violates PodSecurity profile %s: %s", nsPolicy.Warn.String(), result.ForbiddenDetail()))
|
if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Warn, podMetadata, podSpec)); !result.Allowed {
|
||||||
|
// TODO: Craft a better user-facing warning message
|
||||||
|
response.Warnings = append(response.Warnings, fmt.Sprintf(
|
||||||
|
"would violate %q version of %q PodSecurity profile: %s",
|
||||||
|
nsPolicy.Warn.Version.String(),
|
||||||
|
nsPolicy.Warn.Level,
|
||||||
|
result.ForbiddenDetail(),
|
||||||
|
))
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
response.AuditAnnotations = auditAnnotations
|
response.AuditAnnotations = auditAnnotations
|
||||||
|
Loading…
Reference in New Issue
Block a user