Skip to content

Commit

Permalink
UPSTREAM: <carry>: pod-security: don't fail on SCC admission error
Browse files Browse the repository at this point in the history 
If we propagate SCC admission error during pod extraction to PodSecurity
admission, the latter will log the error instead of continuing with
unmutated pod spec, and so we will not get a validation error in
either the audit logs or as a warning.
  • Loading branch information
@stlaz
stlaz committed Jan 16, 2023
1 parent 099791b commit b4e019f
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion plugin/pkg/admission/security/podsecurity/patch_podspecextractor.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,7 +96,7 @@ func (s *SCCMutatingPodSpecExtractor) ExtractPodSpec(obj runtime.Object) (*metav
klog.ErrorS(err, "failed to mutate object for PSA using SCC")
utilruntime.HandleError(fmt.Errorf("failed to mutate object for PSA using SCC: %w", err))
// TODO remove this failure we're causing when SCC fails, but for now we actually need to see our test fail because that was almost really bad.
return podTemplateMeta, originalPodSpec, err
return podTemplateMeta, originalPodSpec, nil
}

if err := v1.Convert_core_Pod_To_v1_Pod(internalPod, pod, nil); err != nil {
Expand Down

0 comments on commit b4e019f

Please sign in to comment.