From e7fe237dcd5ba66b407a78976237c2ec3823ac55 Mon Sep 17 00:00:00 2001
From: Joe Betz <jpbetz@google.com>
Date: Thu, 9 Feb 2023 09:20:52 -0500
Subject: [PATCH] Clarify that audit annotations are independent of
 validationActions

---
 keps/sig-api-machinery/3488-cel-admission-control/README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/keps/sig-api-machinery/3488-cel-admission-control/README.md b/keps/sig-api-machinery/3488-cel-admission-control/README.md
index 2ce75690433..58a36af6311 100644
--- a/keps/sig-api-machinery/3488-cel-admission-control/README.md
+++ b/keps/sig-api-machinery/3488-cel-admission-control/README.md
@@ -1115,6 +1115,9 @@ spec:
 `auditAnnotations` are independent of `validations`. A `ValidatingAdmissionPolicy`
 may contain only `validations`, only `auditAnnotations` or both.
 
+Auudit annotations are recorded regardless of whether a
+ValidatingAdmissionPolicyBinding's `validationActions` include `Audit`.
+
 The published annotation key will be of the form `<ValidatingPolicyDefinition
 name>/<auditAnnotation key>` and will be validated as a
 [QualifiedName](https://github.com/kubernetes/kubernetes/blob/dfa4143086bf504c6c72d5eee8a2210b8ed41b9a/staging/src/k8s.io/apimachinery/pkg/util/validation/validation.go#L43).