From 892d38cf46bee1c0a9b3ebf7ef482fa3ade36f13 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Tue, 25 Oct 2016 00:25:22 -0400
Subject: [PATCH] Improve exec/attach error message

---
 pkg/security/admission/scc_exec.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/security/admission/scc_exec.go b/pkg/security/admission/scc_exec.go
index 6a7095c3cca9..7cad324478bc 100644
--- a/pkg/security/admission/scc_exec.go
+++ b/pkg/security/admission/scc_exec.go
@@ -1,6 +1,7 @@
 package admission
 
 import (
+	"fmt"
 	"io"
 
 	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
@@ -48,7 +49,7 @@ func (d *sccExecRestrictions) Admit(a kadmission.Attributes) (err error) {
 	// we're allowed to use the SA the pod is using.  Otherwise, user-A creates pod and user-B (who can't use the SA) can exec into it.
 	createAttributes := kadmission.NewAttributesRecord(pod, pod, kapi.Kind("Pod").WithVersion(""), a.GetNamespace(), a.GetName(), a.GetResource(), "", kadmission.Create, a.GetUserInfo())
 	if err := d.constraintAdmission.Admit(createAttributes); err != nil {
-		return kadmission.NewForbidden(a, err)
+		return kadmission.NewForbidden(a, fmt.Errorf("%s operation is not allowed because the pod's security context exceeds your permissions: %v", a.GetSubresource(), err))
 	}
 
 	return nil