diff --git a/pkg/genericapiserver/api/handlers/responsewriters/errors.go b/pkg/genericapiserver/api/handlers/responsewriters/errors.go index 2e12b9e8904..f794124893f 100644 --- a/pkg/genericapiserver/api/handlers/responsewriters/errors.go +++ b/pkg/genericapiserver/api/handlers/responsewriters/errors.go @@ -38,7 +38,12 @@ func Forbidden(attributes authorizer.Attributes, w http.ResponseWriter, req *htt w.Header().Set("Content-Type", "text/plain") w.Header().Set("X-Content-Type-Options", "nosniff") w.WriteHeader(http.StatusForbidden) - fmt.Fprintf(w, "%s: %q", msg, reason) + + if len(reason) == 0 { + fmt.Fprintf(w, "%s", msg) + } else { + fmt.Fprintf(w, "%s: %q", msg, reason) + } } func forbiddenMessage(attributes authorizer.Attributes) string { diff --git a/plugin/pkg/auth/authorizer/rbac/rbac.go b/plugin/pkg/auth/authorizer/rbac/rbac.go index 2241a00c246..858b65ca91d 100644 --- a/plugin/pkg/auth/authorizer/rbac/rbac.go +++ b/plugin/pkg/auth/authorizer/rbac/rbac.go @@ -48,7 +48,11 @@ func (r *RBACAuthorizer) Authorize(requestAttributes authorizer.Attributes) (boo glog.V(2).Infof("RBAC DENY: user %q groups %v cannot %q on \"%v.%v/%v\"", requestAttributes.GetUser().GetName(), requestAttributes.GetUser().GetGroups(), requestAttributes.GetVerb(), requestAttributes.GetResource(), requestAttributes.GetAPIGroup(), requestAttributes.GetSubresource()) - return false, fmt.Sprintf("%v", ruleResolutionError), nil + reason := "" + if ruleResolutionError != nil { + reason = fmt.Sprintf("%v", ruleResolutionError) + } + return false, reason, nil } func New(roles validation.RoleGetter, roleBindings validation.RoleBindingLister, clusterRoles validation.ClusterRoleGetter, clusterRoleBindings validation.ClusterRoleBindingLister) *RBACAuthorizer {