return reason for allowed rbac authorizations

includes the binding, role, and subject that allowed a request so audit can make use of it

plugin/pkg/auth/authorizer/rbac/rbac.go

@@ -43,7 +43,7 @@ type RequestToRuleMapper interface {
 	// VisitRulesFor invokes visitor() with each rule that applies to a given user in a given namespace,
 	// and each error encountered resolving those rules. Rule may be nil if err is non-nil.
 	// If visitor() returns false, visiting is short-circuited.
-	VisitRulesFor(user user.Info, namespace string, visitor func(rule *rbac.PolicyRule, err error) bool)
+	VisitRulesFor(user user.Info, namespace string, visitor func(source fmt.Stringer, rule *rbac.PolicyRule, err error) bool)
 }
 
 type RBACAuthorizer struct {
@@ -55,12 +55,14 @@ type authorizingVisitor struct {
 	requestAttributes authorizer.Attributes
 
 	allowed bool
+	reason  string
 	errors  []error
 }
 
-func (v *authorizingVisitor) visit(rule *rbac.PolicyRule, err error) bool {
+func (v *authorizingVisitor) visit(source fmt.Stringer, rule *rbac.PolicyRule, err error) bool {
 	if rule != nil && RuleAllows(v.requestAttributes, rule) {
 		v.allowed = true
+		v.reason = fmt.Sprintf("allowed by %s", source.String())
 		return false
 	}
 	if err != nil {
@@ -74,7 +76,7 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (aut
 
 	r.authorizationRuleResolver.VisitRulesFor(requestAttributes.GetUser(), requestAttributes.GetNamespace(), ruleCheckingVisitor.visit)
 	if ruleCheckingVisitor.allowed {
-		return authorizer.DecisionAllow, "", nil
+		return authorizer.DecisionAllow, ruleCheckingVisitor.reason, nil
 	}
 
 	// Build a detailed log of the denial.