Created
August 16, 2022 16:32
-
-
Save sttts/81d5ef7258c1232278455a77fcd0cb93 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/pkg/authorization/workspace_content_authorizer.go b/pkg/authorization/workspace_content_authorizer.go | |
index 762a39a3d..cd3519b84 100644 | |
--- a/pkg/authorization/workspace_content_authorizer.go | |
+++ b/pkg/authorization/workspace_content_authorizer.go | |
@@ -18,6 +18,7 @@ package authorization | |
import ( | |
"context" | |
+ "fmt" | |
"strings" | |
"github.com/kcp-dev/logicalcluster/v2" | |
@@ -25,6 +26,7 @@ import ( | |
"k8s.io/apimachinery/pkg/api/errors" | |
utilerrors "k8s.io/apimachinery/pkg/util/errors" | |
"k8s.io/apimachinery/pkg/util/sets" | |
+ "k8s.io/apiserver/pkg/audit" | |
authserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount" | |
"k8s.io/apiserver/pkg/authentication/user" | |
"k8s.io/apiserver/pkg/authorization/authorizer" | |
@@ -75,6 +77,7 @@ type workspaceContentAuthorizer struct { | |
func (a *workspaceContentAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) { | |
cluster, err := genericapirequest.ValidClusterFrom(ctx) | |
if err != nil { | |
+ audit.AddAuditAnnotation(ctx, "workspace-content.authorization.kcp.dev/reason", fmt.Sprintf("failed to get cluster from context: %v", err)) | |
return authorizer.DecisionNoOpinion, WorkspaceAcccessNotPermittedReason, err | |
} | |
// empty or non-root based workspaces have no meaning in the context of authorizing workspace content. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment