From 5407376768473b96a0bf8a5d1ed720e23d1b1866 Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Thu, 16 Dec 2021 16:08:54 +0000 Subject: [PATCH] Add comment clarifying why we absorb authorizer errors Signed-off-by: James Munnelly --- .../certificaterequest/approval/certificaterequest_approval.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/plugin/admission/certificaterequest/approval/certificaterequest_approval.go b/internal/plugin/admission/certificaterequest/approval/certificaterequest_approval.go index 2e3e5600e..a85c6bdb3 100644 --- a/internal/plugin/admission/certificaterequest/approval/certificaterequest_approval.go +++ b/internal/plugin/admission/certificaterequest/approval/certificaterequest_approval.go @@ -218,6 +218,9 @@ func userInfoForRequest(req admissionv1.AdmissionRequest) user.Info { // isAuthorizedForSignerName checks whether an entity is authorized to 'approve' certificaterequests // for a given signerName. +// We absorb errors from the authorizer because they are already retried by the underlying authorization +// client, so we shouldn't ever see them unless the context webhook doesn't have the ability to submit +// SARs or the context is cancelled (in which case, the AdmissionResponse won't ever be returned to the apiserver). func isAuthorizedForSignerName(ctx context.Context, authz authorizer.Authorizer, info user.Info, signerName string) bool { verb := "approve" // First check if the user has explicit permission to 'approve' for the given signerName.