Check for length instead, add comments

lib/services/access_request.go

@@ -61,6 +61,9 @@ const (
 	// the access request can be reviewed. Defaults to 1 week.
 	requestTTL = 7 * day
 
+	// InvalidKubernetesKindAccessRequest is used in part of error messages related to
+	// `request.kubernetes_resources` config. It's also used to determine if a returned error
+	// contains this string (in tests and tsh) to customize error messages shown to user.
 	InvalidKubernetesKindAccessRequest = `your Teleport role's "request.kubernetes_resources" field`
 )
 
@@ -1685,13 +1688,13 @@ func (m *RequestValidator) pruneRequestedRolesNotMatchingKubernetesResourceKinds
 		allowedKinds, deniedKinds := getKubeResourceKinds(m.kubernetesResource.allow[requestedRoleName]), getKubeResourceKinds(m.kubernetesResource.deny)
 
 		// Any resource is allowed.
-		if allowedKinds == nil && deniedKinds == nil {
+		if len(allowedKinds) == 0 && len(deniedKinds) == 0 {
 			goodRoles[requestedRoleName] = struct{}{}
 			continue
 		}
 
 		// All supported kube kinds are allowed when there was nothing configured.
-		if allowedKinds == nil {
+		if len(allowedKinds) == 0 {
 			allowedKinds = types.KubernetesResourcesKinds
 			allowedKinds = append(allowedKinds, types.KindKubernetesCluster)
 		}
@@ -2040,8 +2043,12 @@ func getInvalidKubeKindAccessRequestsError(mappedRequestedRolesToAllowedKinds ma
 	if requestedRoles {
 		requestWord = "requested"
 	}
+
+	// This error must be in sync with web UI's RequestCheckout.tsx ("checkSupportForKubeResources").
+	// Web UI relies on the exact format of this error message to determine what kube kinds are
+	// supported since web UI does not support all kube resources at this time.
 	return trace.BadParameter(`%s did not allow requesting to some or all of the requested `+
-		`Kubernetes resources. allowed kinds for each %s roles - %v`,
+		`Kubernetes resources. allowed kinds for each %s roles: %v`,
 		InvalidKubernetesKindAccessRequest, requestWord, allowedStr)
 }