SSA: improve create authz error message

Signed-off-by: Monis Khan <mok@microsoft.com>

staging/src/k8s.io/apiserver/pkg/endpoints/handlers/responsewriters/errors.go

@@ -34,8 +34,13 @@ var sanitizer = strings.NewReplacer(`&`, "&amp;", `<`, "&lt;", `>`, "&gt;")
 
 // Forbidden renders a simple forbidden error
 func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.ResponseWriter, req *http.Request, reason string, s runtime.NegotiatedSerializer) {
-	msg := sanitizer.Replace(forbiddenMessage(attributes))
 	w.Header().Set("X-Content-Type-Options", "nosniff")
+	gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()}
+	ErrorNegotiated(ForbiddenStatusError(attributes, reason), s, gv, w, req)
+}
+
+func ForbiddenStatusError(attributes authorizer.Attributes, reason string) *apierrors.StatusError {
+	msg := sanitizer.Replace(forbiddenMessage(attributes))
 
 	var errMsg string
 	if len(reason) == 0 {
@@ -43,9 +48,10 @@ func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.Res
 	} else {
 		errMsg = fmt.Sprintf("%s: %s", msg, reason)
 	}
-	gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()}
+
 	gr := schema.GroupResource{Group: attributes.GetAPIGroup(), Resource: attributes.GetResource()}
-	ErrorNegotiated(apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg)), s, gv, w, req)
+
+	return apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg))
 }
 
 func forbiddenMessage(attributes authorizer.Attributes) string {

staging/src/k8s.io/apiserver/pkg/endpoints/handlers/update.go

@@ -39,6 +39,7 @@ import (
 	"k8s.io/apiserver/pkg/endpoints/handlers/finisher"
 	requestmetrics "k8s.io/apiserver/pkg/endpoints/handlers/metrics"
 	"k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
+	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/apiserver/pkg/util/dryrun"
@@ -275,13 +276,7 @@ func withAuthorization(validate rest.ValidateObjectFunc, a authorizer.Authorizer
 		}
 
 		// The user is not authorized to perform this action, so we need to build the error response
-		gr := schema.GroupResource{
+		return responsewriters.ForbiddenStatusError(attributes, authorizerReason)
-			Group:    attributes.GetAPIGroup(),
-			Resource: attributes.GetResource(),
-		}
-		name := attributes.GetName()
-		err := fmt.Errorf("%v", authorizerReason)
-		return errors.NewForbidden(gr, name, err)
 	}
 }
 

test/integration/apiserver/apply/apply_test.go

@@ -4805,7 +4805,7 @@ func TestCreateOnApplyFailsWithForbidden(t *testing.T) {
 
 	errCreate := ssaPod(pandaClient)
 
-	requireForbiddenPodErr(t, errCreate, `pods "test-pod" is forbidden: `) // TODO make this error better
+	requireForbiddenPodErr(t, errCreate, `pods "test-pod" is forbidden: User "panda" cannot create resource "pods" in API group "" in the namespace "default"`)
 
 	createPodRBACAndWait(t, adminClient, "create")