From f1d519b193b75ee32fe72a8d917bc9d0fbfd49b2 Mon Sep 17 00:00:00 2001
From: Chad Roberts <chad.roberts@suse.com>
Date: Tue, 17 Dec 2024 12:07:55 -0500
Subject: [PATCH 1/2] Make admission rejection message more useful for
 namespace creation

---
 pkg/resources/core/v1/namespace/projectannotations.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pkg/resources/core/v1/namespace/projectannotations.go b/pkg/resources/core/v1/namespace/projectannotations.go
index 1d9672acf..a4a85eb58 100644
--- a/pkg/resources/core/v1/namespace/projectannotations.go
+++ b/pkg/resources/core/v1/namespace/projectannotations.go
@@ -87,10 +87,13 @@ func (p *projectNamespaceAdmitter) Admit(request *admission.Request) (*admission
 		return response, nil
 	}
 
+	constructedReason := fmt.Sprintf("User %q does not have permission %q on project %q",
+		request.UserInfo.Username, manageNSVerb, projectName)
+
 	response.Allowed = false
 	response.Result = &metav1.Status{
 		Status:  "Failure",
-		Message: sarResponse.Status.Reason,
+		Message: constructedReason,
 		Reason:  metav1.StatusReasonUnauthorized,
 		Code:    http.StatusForbidden,
 	}

From 64747ea19bcb9467eb3a404aa13c4faf110fc13a Mon Sep 17 00:00:00 2001
From: Chad Roberts <chad.roberts@suse.com>
Date: Mon, 3 Feb 2025 10:34:10 -0500
Subject: [PATCH 2/2] Updating test to check for updated admission rejection
 message

---
 pkg/resources/core/v1/namespace/projectannotations_test.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/resources/core/v1/namespace/projectannotations_test.go b/pkg/resources/core/v1/namespace/projectannotations_test.go
index ab5e59644..e0f5ca30e 100644
--- a/pkg/resources/core/v1/namespace/projectannotations_test.go
+++ b/pkg/resources/core/v1/namespace/projectannotations_test.go
@@ -27,6 +27,7 @@ func TestValidateProjectNamespaceAnnotations(t *testing.T) {
 		includeProjectAnnotation  bool
 		targetProject             string
 		userCanAccessProject      bool
+		rejectMessage             string
 		sarError                  bool
 		wantError                 bool
 		wantAllowed               bool
@@ -72,6 +73,7 @@ func TestValidateProjectNamespaceAnnotations(t *testing.T) {
 			includeProjectAnnotation: true,
 			targetProject:            "p-123xyz",
 			userCanAccessProject:     false,
+			rejectMessage:            "User \"test-user\" does not have permission \"manage-namespaces\" on project \"p-123xyz\"",
 			sarError:                 false,
 			wantError:                false,
 			wantAllowed:              false,
@@ -220,6 +222,9 @@ func TestValidateProjectNamespaceAnnotations(t *testing.T) {
 			} else {
 				assert.NoError(t, err)
 				assert.Equal(t, test.wantAllowed, response.Allowed)
+				if test.rejectMessage != "" {
+					assert.Equal(t, test.rejectMessage, response.Result.Message)
+				}
 			}
 		})
 	}