github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 12:15:52 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #103552 from liggitt/podsecurity-code

Browse Source 
PodSecurity: use code/reason/details from admission library
This commit is contained in:
Kubernetes Prow Robot 2021-07-07 17:05:56 -07:00 committed by GitHub
commit 818ed1afff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
plugin/pkg/admission/security/podsecurity/admission.go
View File

@ -32,6 +32,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
batchv1 "k8s.io/api/batch/v1"
corev1 "k8s.io/api/core/v1"
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apiserver/pkg/admission"
@ -177,11 +178,24 @@ func (p *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
audit.AddAuditAnnotation(ctx, podsecurityadmissionapi.AuditAnnotationPrefix+k, v)
}
if !result.Allowed {
if result.Result != nil && len(result.Result.Message) > 0 {
// TODO: use code/reason/etc from status
return admission.NewForbidden(a, errors.New(result.Result.Message))
// start with a generic forbidden error
retval := admission.NewForbidden(a, errors.New("Not allowed by PodSecurity")).(*apierrors.StatusError)
// use message/reason/details/code from admission library if populated
if result.Result != nil {
if len(result.Result.Message) > 0 {
retval.ErrStatus.Message = result.Result.Message
}
if len(result.Result.Reason) > 0 {
retval.ErrStatus.Reason = result.Result.Reason
}
if result.Result.Details != nil {
retval.ErrStatus.Details = result.Result.Details
}
if result.Result.Code != 0 {
retval.ErrStatus.Code = result.Result.Code
}
}
return admission.NewForbidden(a, errors.New("Not allowed by PodSecurity"))
return retval
}
return nil
}