From 339c81f9a86b4a62fbff4d38651cf1cfc47302a4 Mon Sep 17 00:00:00 2001
From: jyz0309 <45495947@qq.com>
Date: Sun, 15 Aug 2021 00:05:41 +0800
Subject: [PATCH 1/4] add log

Signed-off-by: jyz0309 <45495947@qq.com>
---
 .../k8s.io/pod-security-admission/admission/admission.go  | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/staging/src/k8s.io/pod-security-admission/admission/admission.go b/staging/src/k8s.io/pod-security-admission/admission/admission.go
index 2a23323024f..b12e274b6c4 100644
--- a/staging/src/k8s.io/pod-security-admission/admission/admission.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/admission.go
@@ -350,7 +350,7 @@ func (a *Admission) ValidatePod(ctx context.Context, attrs Attributes) *admissio
 			return sharedAllowedResponse()
 		}
 	}
-	return a.EvaluatePod(ctx, nsPolicy, nsPolicyErr, &pod.ObjectMeta, &pod.Spec, true)
+	return a.EvaluatePod(ctx, nsPolicy, nsPolicyErr, &pod.ObjectMeta, &pod.Spec, attrs, true)
 }
 
 // ValidatePodController evaluates a pod controller create or update request against the effective policy for the namespace.
@@ -390,13 +390,13 @@ func (a *Admission) ValidatePodController(ctx context.Context, attrs Attributes)
 		// if a controller with an optional pod spec does not contain a pod spec, skip validation
 		return sharedAllowedResponse()
 	}
-	return a.EvaluatePod(ctx, nsPolicy, nsPolicyErr, podMetadata, podSpec, false)
+	return a.EvaluatePod(ctx, nsPolicy, nsPolicyErr, podMetadata, podSpec, attrs, false)
 }
 
 // EvaluatePod evaluates the given policy against the given pod(-like) object.
 // The enforce policy is only checked if enforce=true.
 // The returned response may be shared between evaluations and must not be mutated.
-func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPolicyErr error, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, enforce bool) *admissionv1.AdmissionResponse {
+func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPolicyErr error, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec, attrs Attributes, enforce bool) *admissionv1.AdmissionResponse {
 	// short-circuit on exempt runtimeclass
 	if a.exemptRuntimeClass(podSpec.RuntimeClassName) {
 		return sharedAllowedResponse()
@@ -407,8 +407,8 @@ func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPoli
 		klog.V(2).InfoS("failed to parse PodSecurity namespace labels", "err", nsPolicyErr)
 		auditAnnotations["error"] = fmt.Sprintf("Failed to parse policy: %v", nsPolicyErr)
 	}
-	// TODO: log nsPolicy evaluation with context (op, resource, namespace, name) for the request.
 
+	klog.V(2).InfoS("nsPolicy evaluation", "op", attrs.GetOperation(), "resource", attrs.GetResource(), "namespace", attrs.GetNamespace(), "name", attrs.GetName())
 	response := allowedResponse()
 	if enforce {
 		if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Enforce, podMetadata, podSpec)); !result.Allowed {

From e93e29a6bc3c74efd4db4819d06bfa341232f9fd Mon Sep 17 00:00:00 2001
From: jyz0309 <45495947@qq.com>
Date: Sat, 25 Sep 2021 09:31:55 +0800
Subject: [PATCH 2/4] address comment

Signed-off-by: jyz0309 <45495947@qq.com>
---
 .../src/k8s.io/pod-security-admission/admission/admission.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/pod-security-admission/admission/admission.go b/staging/src/k8s.io/pod-security-admission/admission/admission.go
index b12e274b6c4..9d3965e715c 100644
--- a/staging/src/k8s.io/pod-security-admission/admission/admission.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/admission.go
@@ -408,7 +408,10 @@ func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPoli
 		auditAnnotations["error"] = fmt.Sprintf("Failed to parse policy: %v", nsPolicyErr)
 	}
 
-	klog.V(2).InfoS("nsPolicy evaluation", "op", attrs.GetOperation(), "resource", attrs.GetResource(), "namespace", attrs.GetNamespace(), "name", attrs.GetName())
+	if klog.V(4).Enabled() {
+		klog.InfoS("Pod Security evaluation", "policy", nsPolicy, "op", attrs.GetOperation(), "resource", attrs.GetResource(), "namespace", attrs.GetNamespace(), "name", attrs.GetName())
+	}
+
 	response := allowedResponse()
 	if enforce {
 		if result := policy.AggregateCheckResults(a.Evaluator.EvaluatePod(nsPolicy.Enforce, podMetadata, podSpec)); !result.Allowed {

From 88e35021e69f0981694c500e09dbfb4e89976719 Mon Sep 17 00:00:00 2001
From: jyz0309 <45495947@qq.com>
Date: Tue, 28 Sep 2021 17:15:44 +0800
Subject: [PATCH 3/4] address comment

Signed-off-by: jyz0309 <45495947@qq.com>
---
 .../src/k8s.io/pod-security-admission/admission/admission.go    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/pod-security-admission/admission/admission.go b/staging/src/k8s.io/pod-security-admission/admission/admission.go
index 9d3965e715c..d1c2049b82b 100644
--- a/staging/src/k8s.io/pod-security-admission/admission/admission.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/admission.go
@@ -409,7 +409,7 @@ func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPoli
 	}
 
 	if klog.V(4).Enabled() {
-		klog.InfoS("Pod Security evaluation", "policy", nsPolicy, "op", attrs.GetOperation(), "resource", attrs.GetResource(), "namespace", attrs.GetNamespace(), "name", attrs.GetName())
+		klog.InfoS("Pod Security evaluation", "policy", fmt.Sprintf("%v", nsPolicy), "op", attrs.GetOperation(), "resource", attrs.GetResource(), "namespace", attrs.GetNamespace(), "name", attrs.GetName())
 	}
 
 	response := allowedResponse()

From f157aa17f2aa19f38c1432397ffe76cf726f3df0 Mon Sep 17 00:00:00 2001
From: jyz0309 <45495947@qq.com>
Date: Wed, 29 Sep 2021 09:30:16 +0800
Subject: [PATCH 4/4] bump version to 5

Signed-off-by: jyz0309 <45495947@qq.com>
---
 .../src/k8s.io/pod-security-admission/admission/admission.go    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/pod-security-admission/admission/admission.go b/staging/src/k8s.io/pod-security-admission/admission/admission.go
index d1c2049b82b..74924a89987 100644
--- a/staging/src/k8s.io/pod-security-admission/admission/admission.go
+++ b/staging/src/k8s.io/pod-security-admission/admission/admission.go
@@ -408,7 +408,7 @@ func (a *Admission) EvaluatePod(ctx context.Context, nsPolicy api.Policy, nsPoli
 		auditAnnotations["error"] = fmt.Sprintf("Failed to parse policy: %v", nsPolicyErr)
 	}
 
-	if klog.V(4).Enabled() {
+	if klog.V(5).Enabled() {
 		klog.InfoS("Pod Security evaluation", "policy", fmt.Sprintf("%v", nsPolicy), "op", attrs.GetOperation(), "resource", attrs.GetResource(), "namespace", attrs.GetNamespace(), "name", attrs.GetName())
 	}