Admission controller doesn't send message to api-server?

[SachinMaharana]

Hi. I am using kube-rs to write a mutating admission controller. I am seeing certain issue which i intend to highligh here.
Here's a sinppet i am working with.

fn admission_error(req: AdmissionRequest<DynamicObject>, err: anyhow::Error, code: i32) -> HttpResponse {

    error!("error in admission: {}", err.to_string());
    let mut resp = AdmissionResponse::from(&req);
    resp.result = Status {
        code: Some(code),
        message: Some("Can i see this message?".to_string()),
        reason: Some(err.to_string()),
        ..Default::default()
    };
    resp.allowed = false;
    HttpResponse::Ok().json(resp.into_review())
}

Here i see the controller is working as expected with the following log.
ERROR image_tag_constraint_controller: error in admission: error with request namespace. cannot inject pod into system ns kube-system.

But i don't see the message/reason for this in the describe resource(replicaSet).

Warning  FailedCreate  2s (x12 over 12s)  replicaset-controller  Error creating: admission webhook "image-tag-constraint-controll er.default.svc.cluster.local" denied the request without explanation

Error From API Server:

W0419 07:02:30.018105       1 dispatcher.go:142] rejected by webhook "image-tag-constraint-controll er.default.svc.cluster.local": &errors.StatusError{ErrStatus:v1.Status{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ListMeta:v1.ListMeta{SelfLink:"", ResourceVersion:"", Continue:"", RemainingItemCount:(*int64)(nil)}, Status:"Failure", Message:"admission webhook \"basic-validation-controller.default.svc.cluster.local\" denied the request without explanation", Reason:"", Details:(*v1.StatusDetails)(nil), Code:400}}

Here i expected to see the message why this was denied. I noticed i couldn't find the logs in the api-server as well.

Am i missing something here?

[clux]

Thanks for trying out admission controller stuff so early before we have released it properly!

This could be a bug. I was hoping that err/reason was going to be used here, but looks like it doesn't.
Although from the response documentation reference it looks like we are doing the right thing.

There is also a warnings field from kubernetes 1.19, but that doesn't feel like it should be where you put a deny-reason. Does that end up there?

Was hoping to do a cleanup and full documented setup of this myself before making a minor version for admission + ResourceExt anyway, so this is another thing to look at. Hopefully will have time later. Thanks for the report.