Merge pull request #11549 from liggitt/rsh-error

Merged by openshift-bot

Author: OpenShift Bot

pkg/security/admission/scc_exec.go

@@ -1,6 +1,7 @@
 package admission
 
 import (
+	"fmt"
 	"io"
 
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
@@ -48,7 +49,7 @@ func (d *sccExecRestrictions) Admit(a kadmission.Attributes) (err error) {
 	// we're allowed to use the SA the pod is using.  Otherwise, user-A creates pod and user-B (who can't use the SA) can exec into it.
 	createAttributes := kadmission.NewAttributesRecord(pod, pod, kapi.Kind("Pod").WithVersion(""), a.GetNamespace(), a.GetName(), a.GetResource(), "", kadmission.Create, a.GetUserInfo())
 	if err := d.constraintAdmission.Admit(createAttributes); err != nil {
-		return kadmission.NewForbidden(a, err)
+		return kadmission.NewForbidden(a, fmt.Errorf("%s operation is not allowed because the pod's security context exceeds your permissions: %v", a.GetSubresource(), err))
 	}
 
 	return nil