Feature Request: allow operators to provide custom rejection message

[viccuad]

Cluster operators may want to provide a more specific rejection message than those provided by the policy author.

The rejection message from the cluster operator should have more priority than the ones from the policy author, as some policies may need recompilation for their messages to change.

Acceptance criteria

• Add a new spec.message to (Cluster)AdmissionPolicies, optional, that expects a string. If provided, this new field will specify the message used when the policy performs a rejection. This substitutes the original rejection message provided by the policy (usually hardcoded). The original rejection message will be available as part of the Warnings inside of the AdmissionResponse object.

Considerations

Both Rego and CEL already support custom rejection messages via deny[msg] { msg } (example), and validations[ {expression, messageExpression}] (example). Yet Rego policies need recompilation. Both of these messages will be part of the Warnings if the new spec.message is used.

PolicyGroups already have spec.message, and the per-member messages already are part of the Warnings.

For PolicyReports no changes are needed. The error message will end in the PolicyReportResult spec.Description, as usual rejection messages do. We need to schedule work to include the messages in Warnings into PolicyReportResults nevertheless.

In the future, we could add a new spec.messageExpression, optional, that expects a CEL expression.