// FillPodSecurityPolicySubjectReviewStatus fills PodSecurityPolicySubjectReviewStatus assigning SecurityContectConstraint to the PodSpec
func FillPodSecurityPolicySubjectReviewStatus(s *securityapi.PodSecurityPolicySubjectReviewStatus, provider kscc.SecurityContextConstraintsProvider, spec kapi.PodSpec, constraint *kapi.SecurityContextConstraints) (bool, error) {
pod := &kapi.Pod{
Spec: spec,
}
if errs := oscc.AssignSecurityContext(provider, pod, field.NewPath(fmt.Sprintf("provider %s: ", provider.GetSCCName()))); len(errs) > 0 {
glog.Errorf("unable to assign SecurityContextConstraints provider: %v", errs)
s.Reason = "CantAssignSecurityContextConstraintProvider"
return false, fmt.Errorf("unable to assign SecurityContextConstraints provider: %v", errs.ToAggregate())
}
ref, err := kapi.GetReference(constraint)
if err != nil {
s.Reason = "CantObtainReference"
return false, fmt.Errorf("unable to get SecurityContextConstraints reference: %v", err)
}
s.AllowedBy = ref
if len(spec.ServiceAccountName) > 0 {
s.Template.Spec = pod.Spec
}
return true, nil
}
