diff --git a/internal/report/report.go b/internal/report/report.go index dff09f9b..a7ca3467 100644 --- a/internal/report/report.go +++ b/internal/report/report.go @@ -132,7 +132,11 @@ func newPolicyReportResult(policy policiesv1.Policy, admissionReview *admissionv } var message string - if !errored { + // We need to check if Result is not nil because this field is + // optional. If the policy returns "allowed" to the admissionReview, + // the Result field is not checked by Kubernetes. + // https://pkg.go.dev/k8s.io/api@v0.29.2/admission/v1#AdmissionResponse + if !errored && admissionReview.Response.Result != nil { message = admissionReview.Response.Result.Message } diff --git a/internal/report/report_test.go b/internal/report/report_test.go index 6f2f01d1..f9edf6e6 100644 --- a/internal/report/report_test.go +++ b/internal/report/report_test.go @@ -137,7 +137,7 @@ func TestNewPolicyReportResult(t *testing.T) { amissionReview: &admissionv1.AdmissionReview{ Response: &admissionv1.AdmissionResponse{ Allowed: true, - Result: &metav1.Status{Message: "The request was allowed"}, + Result: nil, }, }, errored: false, @@ -149,7 +149,7 @@ func TestNewPolicyReportResult(t *testing.T) { Timestamp: now, Scored: true, SubjectSelector: &metav1.LabelSelector{}, - Description: "The request was allowed", + Description: "", Properties: map[string]string{ PropertyPolicyUID: "policy-uid", propertyPolicyResourceVersion: "1", diff --git a/internal/scanner/scanner_test.go b/internal/scanner/scanner_test.go index 66df1c53..e5bded12 100644 --- a/internal/scanner/scanner_test.go +++ b/internal/scanner/scanner_test.go @@ -33,9 +33,7 @@ func newMockPolicyServer() *httptest.Server { admissionReview := admissionv1.AdmissionReview{ Response: &admissionv1.AdmissionResponse{ Allowed: true, - Result: &metav1.Status{ - Message: "The request was allowed", - }, + Result: nil, }, } response, err := json.Marshal(admissionReview)