UPSTREAM: <carry>: pod-security: don't fail on SCC admission error

stlaz · stlaz · commit b4e019f9bb91 · 2023-01-16T11:43:15.000+01:00
If we propagate SCC admission error during pod extraction to PodSecurity
admission, the latter will log the error instead of continuing with
unmutated pod spec, and so we will not get a validation error in
either the audit logs or as a warning.
diff --git a/plugin/pkg/admission/security/podsecurity/patch_podspecextractor.go b/plugin/pkg/admission/security/podsecurity/patch_podspecextractor.go
@@ -96,7 +96,7 @@ func (s *SCCMutatingPodSpecExtractor) ExtractPodSpec(obj runtime.Object) (*metav
 		klog.ErrorS(err, "failed to mutate object for PSA using SCC")
 		utilruntime.HandleError(fmt.Errorf("failed to mutate object for PSA using SCC: %w", err))
 		// TODO remove this failure we're causing when SCC fails, but for now we actually need to see our test fail because that was almost really bad.
-		return podTemplateMeta, originalPodSpec, err
+		return podTemplateMeta, originalPodSpec, nil
 	}
 
 	if err := v1.Convert_core_Pod_To_v1_Pod(internalPod, pod, nil); err != nil {

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ func (s SCCMutatingPodSpecExtractor) ExtractPodSpec(obj runtime.Object) (metav`
`96`	`96`	`klog.ErrorS(err, "failed to mutate object for PSA using SCC")`
`97`	`97`	`utilruntime.HandleError(fmt.Errorf("failed to mutate object for PSA using SCC: %w", err))`
`98`	`98`	`// TODO remove this failure we're causing when SCC fails, but for now we actually need to see our test fail because that was almost really bad.`
`99`		`- return podTemplateMeta, originalPodSpec, err`
	`99`	`+ return podTemplateMeta, originalPodSpec, nil`
`100`	`100`	`}`
`101`	`101`
`102`	`102`	`if err := v1.Convert_core_Pod_To_v1_Pod(internalPod, pod, nil); err != nil {`