Merge pull request #126523 from enj/enj/i/ssa_authz_create_err

SSA: improve create authz error message

Kubernetes-commit: 114900ab1f678a03e5c1bc63fe92b0892d2a9238

go.mod

@@ -45,7 +45,7 @@ require (
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	gopkg.in/square/go-jose.v2 v2.6.0
 	k8s.io/api v0.0.0-20240814140756-5b597d2ac308
-	k8s.io/apimachinery v0.0.0-20240720202316-95b78024e3fe
+	k8s.io/apimachinery v0.0.0-20240816010351-a8a2284d318b
 	k8s.io/client-go v0.0.0-20240814061205-690fd5274dfc
 	k8s.io/component-base v0.0.0-20240728011147-17b34105999b
 	k8s.io/klog/v2 v2.130.1

go.sum

@@ -372,8 +372,8 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 k8s.io/api v0.0.0-20240814140756-5b597d2ac308 h1:WNYh3lnGkkKKlE7TeskBL29ncORtzO/TqZIX4JuTHTo=
 k8s.io/api v0.0.0-20240814140756-5b597d2ac308/go.mod h1:ytlEzqC2wOTwYET71W7+J+k7O2V7vrDuzmNLBSpgT+k=
-k8s.io/apimachinery v0.0.0-20240720202316-95b78024e3fe h1:V9MwpYUwbKlfLKVrhpVuKWiat/LBIhm1pGB9/xdHm5Q=
+k8s.io/apimachinery v0.0.0-20240816010351-a8a2284d318b h1:dyJ8CcpWQebled2TcQWRumVyI+CBO0H0F5czijmaYTQ=
-k8s.io/apimachinery v0.0.0-20240720202316-95b78024e3fe/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
+k8s.io/apimachinery v0.0.0-20240816010351-a8a2284d318b/go.mod h1:rsPdaZJfTfLsNJSQzNHQvYoTmxhoOEofxtOsF3rtsMo=
 k8s.io/client-go v0.0.0-20240814061205-690fd5274dfc h1:ZuM9tPpDGZHOb7dNzUNFOADRJK3+REmRsLQ/L3hVHRQ=
 k8s.io/client-go v0.0.0-20240814061205-690fd5274dfc/go.mod h1:cE151YT6VfSgZltk7hYbMYFQoMrTpIZQn935vDqadm4=
 k8s.io/component-base v0.0.0-20240728011147-17b34105999b h1:oOYTUnYRb8KrJ+OD2Y+819wrKs4A3iie+yQ558P55F0=

pkg/endpoints/handlers/responsewriters/errors.go

@@ -34,18 +34,24 @@ var sanitizer = strings.NewReplacer(`&`, "&amp;", `<`, "&lt;", `>`, "&gt;")
 
 // Forbidden renders a simple forbidden error
 func Forbidden(ctx context.Context, attributes authorizer.Attributes, w http.ResponseWriter, req *http.Request, reason string, s runtime.NegotiatedSerializer) {
-	msg := sanitizer.Replace(forbiddenMessage(attributes))
 	w.Header().Set("X-Content-Type-Options", "nosniff")
-
-	var errMsg string
-	if len(reason) == 0 {
-		errMsg = fmt.Sprintf("%s", msg)
-	} else {
-		errMsg = fmt.Sprintf("%s: %s", msg, reason)
-	}
 	gv := schema.GroupVersion{Group: attributes.GetAPIGroup(), Version: attributes.GetAPIVersion()}
+	ErrorNegotiated(ForbiddenStatusError(attributes, reason), s, gv, w, req)
+}
+
+func ForbiddenStatusError(attributes authorizer.Attributes, reason string) *apierrors.StatusError {
+	msg := sanitizer.Replace(forbiddenMessage(attributes))
+
+	var errMsg error
+	if len(reason) == 0 {
+		errMsg = fmt.Errorf("%s", msg)
+	} else {
+		errMsg = fmt.Errorf("%s: %s", msg, reason)
+	}
+
 	gr := schema.GroupResource{Group: attributes.GetAPIGroup(), Resource: attributes.GetResource()}
-	ErrorNegotiated(apierrors.NewForbidden(gr, attributes.GetName(), fmt.Errorf(errMsg)), s, gv, w, req)
+
+	return apierrors.NewForbidden(gr, attributes.GetName(), errMsg)
 }
 
 func forbiddenMessage(attributes authorizer.Attributes) string {

pkg/endpoints/handlers/update.go

@@ -39,6 +39,7 @@ import (
 	"k8s.io/apiserver/pkg/endpoints/handlers/finisher"
 	requestmetrics "k8s.io/apiserver/pkg/endpoints/handlers/metrics"
 	"k8s.io/apiserver/pkg/endpoints/handlers/negotiation"
+	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	"k8s.io/apiserver/pkg/registry/rest"
 	"k8s.io/apiserver/pkg/util/dryrun"
@@ -275,13 +276,7 @@ func withAuthorization(validate rest.ValidateObjectFunc, a authorizer.Authorizer
 		}
 
 		// The user is not authorized to perform this action, so we need to build the error response
-		gr := schema.GroupResource{
+		return responsewriters.ForbiddenStatusError(attributes, authorizerReason)
-			Group:    attributes.GetAPIGroup(),
-			Resource: attributes.GetResource(),
-		}
-		name := attributes.GetName()
-		err := fmt.Errorf("%v", authorizerReason)
-		return errors.NewForbidden(gr, name, err)
 	}
 }