return reason for allowed rbac authorizations

[liggitt]

includes the binding, role, and subject that allowed a request so audit can make use of it

xref #56209 #58083

example reasons

allowed by ClusterRoleBinding "system:controller:cronjob-controller" of ClusterRole "system:controller:cronjob-controller" to ServiceAccount "cronjob-controller/kube-system"

allowed by RoleBinding "bob-viewer/default" of ClusterRole "view" to User "bob"

perf impact

go test ./plugin/pkg/auth/authorizer/rbac/ -run foo -bench . -benchmem

on master:

BenchmarkAuthorize/allow_list_pods-8         	  500000	      2674 ns/op	    1632 B/op	      27 allocs/op
BenchmarkAuthorize/allow_update_pods/status-8         	  500000	      2858 ns/op	    1632 B/op	      27 allocs/op
BenchmarkAuthorize/forbid_educate_dolphins-8          	  500000	      2654 ns/op	    1632 B/op	      27 allocs/op

with this PR:

BenchmarkAuthorize/allow_list_pods-8         	  500000	      2697 ns/op	    1664 B/op	      28 allocs/op
BenchmarkAuthorize/allow_update_pods/status-8         	  500000	      2873 ns/op	    1680 B/op	      29 allocs/op
BenchmarkAuthorize/forbid_educate_dolphins-8          	  500000	      2687 ns/op	    1664 B/op	      28 allocs/op

NONE

[deads2k]

/lgtm

[liggitt]

/hold

cleaning up the subject printing a little

[liggitt]

/hold cancel

[enj]

Check the idx in tests?

[enj]

@liggitt why not use more structured output instead of a giant string?

[liggitt]

@liggitt why not use more structured output instead of a giant string?

• we already have plumbing for a string reason
• putting structure inside a string is fragile and makes the interface misleading
• the same interface needs to be remoteable (via subject access review)
• the intended consumer of this (audit) is unlikely to nest structured data from arbitrary authorizers. see #58143 for discussion of a way for authorizers/admission plugins to contribute unstructured attributes to an audit event

[enj]

@liggitt 👍

/lgtm

[liggitt]

/retest

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, enj, liggitt

Associated issue: #56209

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/registry/OWNERS [deads2k,liggitt]
• plugin/pkg/auth/OWNERS [deads2k,liggitt]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 53895, 58013, 58466, 58531, 58535). If you want to cherry-pick this change to another branch, please follow the instructions here.