sttts/gist:81d5ef7258c1232278455a77fcd0cb93

## gistfile1.txt
diff --git a/pkg/authorization/workspace_content_authorizer.go b/pkg/authorization/workspace_content_authorizer.go
index 762a39a3d..cd3519b84 100644
--- a/pkg/authorization/workspace_content_authorizer.go
+++ b/pkg/authorization/workspace_content_authorizer.go
@@ -18,6 +18,7 @@ package authorization

 import (
 	"context"
+	"fmt"
 	"strings"

 	"github.com/kcp-dev/logicalcluster/v2"
@@ -25,6 +26,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
 	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apiserver/pkg/audit"
 	authserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
@@ -75,6 +77,7 @@ type workspaceContentAuthorizer struct {
 func (a *workspaceContentAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
 	cluster, err := genericapirequest.ValidClusterFrom(ctx)
 	if err != nil {
+		audit.AddAuditAnnotation(ctx, "workspace-content.authorization.kcp.dev/reason", fmt.Sprintf("failed to get cluster from context: %v", err))
 		return authorizer.DecisionNoOpinion, WorkspaceAcccessNotPermittedReason, err
 	}
 	// empty or non-root based workspaces have no meaning in the context of authorizing workspace content.
	diff --git a/pkg/authorization/workspace_content_authorizer.go b/pkg/authorization/workspace_content_authorizer.go
	index 762a39a3d..cd3519b84 100644
	--- a/pkg/authorization/workspace_content_authorizer.go
	+++ b/pkg/authorization/workspace_content_authorizer.go
	@@ -18,6 +18,7 @@ package authorization

	import (
	"context"
	+ "fmt"
	"strings"

	"github.com/kcp-dev/logicalcluster/v2"
	@@ -25,6 +26,7 @@ import (
	"k8s.io/apimachinery/pkg/api/errors"
	utilerrors "k8s.io/apimachinery/pkg/util/errors"
	"k8s.io/apimachinery/pkg/util/sets"
	+ "k8s.io/apiserver/pkg/audit"
	authserviceaccount "k8s.io/apiserver/pkg/authentication/serviceaccount"
	"k8s.io/apiserver/pkg/authentication/user"
	"k8s.io/apiserver/pkg/authorization/authorizer"
	@@ -75,6 +77,7 @@ type workspaceContentAuthorizer struct {
	func (a *workspaceContentAuthorizer) Authorize(ctx context.Context, attr authorizer.Attributes) (authorizer.Decision, string, error) {
	cluster, err := genericapirequest.ValidClusterFrom(ctx)
	if err != nil {
	+ audit.AddAuditAnnotation(ctx, "workspace-content.authorization.kcp.dev/reason", fmt.Sprintf("failed to get cluster from context: %v", err))
	return authorizer.DecisionNoOpinion, WorkspaceAcccessNotPermittedReason, err
	}
	// empty or non-root based workspaces have no meaning in the context of authorizing workspace content.