Return details why a payload was denied

[czunker]

Is your feature request related to a problem? Please describe.

Describe the solution you'd like When we run the admission webhook in enforcing mode, it does not provide details why an object was denied: https://github.com/mondoohq/mondoo-operator/blob/main/pkg/webhooks/handler/webhook.go#L135

With kubectl it looks like this:

Error from server (FAILED MONDOO SCAN): error when creating "ubuntu-privileged.yaml": admission webhook "policy.k8s.mondoo.com" denied the request: FAILED MONDOO SCAN

Describe alternatives you've considered The current way is to look up the details in the Mondoo console.

Additional context What do we do, when multiple rules report problems? Do we only report the worst rule?

[imilchev]

I guess we should return the score from the scan. The Mondoo Client has a --score-threshold which determines when a scan will exit with 1. On the longer term we probably need to expose such a configuration for the admission controller as well that would deny only resources with a threshold below a certain value. If we head in that direction, then showing the score should be sufficient I suppose.

To make it a bit nicer we could technically also return the link to view the asset in the Mondoo UI. Not sure if we have enough information to generate that link though.