kubernetes
diff --git a/‎pkg/apis/imagepolicy/types.go
+6-1 b/‎pkg/apis/imagepolicy/types.go
+6-1
diff --git a/‎pkg/apis/imagepolicy/v1alpha1/zz_generated.conversion.go
+2 b/‎pkg/apis/imagepolicy/v1alpha1/zz_generated.conversion.go
+2
diff --git a/‎pkg/apis/imagepolicy/zz_generated.deepcopy.go
+8-1 b/‎pkg/apis/imagepolicy/zz_generated.deepcopy.go
+8-1
diff --git a/‎plugin/pkg/admission/imagepolicy/admission.go
+23-1 b/‎plugin/pkg/admission/imagepolicy/admission.go
+23-1
@@ -56,12 +56,17 @@ type ImageReviewContainerSpec struct {
 	// In future, we may add command line overrides, exec health check command lines, and so on.
 }
 
-// ImageReviewStatus is the result of the token authentication request.
+// ImageReviewStatus is the result of the review for the pod creation request.
 type ImageReviewStatus struct {
 	// Allowed indicates that all images were allowed to be run.
 	Allowed bool
 	// Reason should be empty unless Allowed is false in which case it
 	// may contain a short description of what is wrong.  Kubernetes
 	// may truncate excessively long errors when displaying to the user.
 	Reason string
+	// AuditAnnotations will be added to the attributes object of the
+	// admission controller request using 'AddAnnotation'.  The keys should
+	// be prefix-less (i.e., the admission controller will add an
+	// appropriate prefix).
+	AuditAnnotations map[string]string
 }
@@ -46,6 +46,21 @@ import (
 // PluginName indicates name of admission plugin.
 const PluginName = "ImagePolicyWebhook"
 
+// AuditKeyPrefix is used as the prefix for all audit keys handled by this
+// pluggin. Some well known suffixes are listed below.
+var AuditKeyPrefix = strings.ToLower(PluginName) + ".image-policy.k8s.io/"
+
+const (
+	// ImagePolicyFailedOpenKeySuffix in an annotation indicates the image
+	// review failed open when the image policy webhook backend connection
+	// failed.
+	ImagePolicyFailedOpenKeySuffix string = "failed-open"
+
+	// ImagePolicyAuditRequiredKeySuffix in an annotation indicates the pod
+	// should be audited.
+	ImagePolicyAuditRequiredKeySuffix string = "audit-required"
+)
+
 var (
 	groupVersions = []schema.GroupVersion{v1alpha1.SchemeGroupVersion}
 )
@@ -97,12 +112,15 @@ func (a *Plugin) webhookError(pod *api.Pod, attributes admission.Attributes, err
 	if err != nil {
 		glog.V(2).Infof("error contacting webhook backend: %s", err)
 		if a.defaultAllow {
+			attributes.AddAnnotation(AuditKeyPrefix+ImagePolicyFailedOpenKeySuffix, "true")
+			// TODO(wteiken): Remove the annotation code for the 1.13 release
 			annotations := pod.GetAnnotations()
 			if annotations == nil {
 				annotations = make(map[string]string)
 			}
 			annotations[api.ImagePolicyFailedOpenKey] = "true"
 			pod.ObjectMeta.SetAnnotations(annotations)
+
 			glog.V(2).Infof("resource allowed in spite of webhook backend failure")
 			return nil
 		}
@@ -174,13 +192,17 @@ func (a *Plugin) admitPod(pod *api.Pod, attributes admission.Attributes, review
 		a.responseCache.Add(string(cacheKey), review.Status, a.statusTTL(review.Status))
 	}
 
+	for k, v := range review.Status.AuditAnnotations {
+		if err := attributes.AddAnnotation(AuditKeyPrefix+k, v); err != nil {
+			glog.Warningf("failed to set admission audit annotation %s to %s: %v", AuditKeyPrefix+k, v, err)
+		}
+	}
 	if !review.Status.Allowed {
 		if len(review.Status.Reason) > 0 {
 			return fmt.Errorf("image policy webhook backend denied one or more images: %s", review.Status.Reason)
 		}
 		return errors.New("one or more images rejected by webhook backend")
 	}
-
 	return nil
 }