Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(internal/request): add missing impersonate groups for serviceacco…
…unts (#350) When clients request to impersonate user, the group impersonation should be done only when also clients request explicitely to impersonate group. Nevertheless, an excpetion should be considered for service accounts. With service account built-in authenticator, requests made with service account token are authenticated as: - user name: system:serviceaccount:<namespace>:<serviceaccount_name> - groups: - system:serviceaccounts - system:serviceaccounts:<namespace> - system:authenticated (included for all authenticated users) This patch considers the case of service accounts adding the mentioned groups to the list of impersonate groups, when requests try to impersonate a service account's user. More details in the official documentation about service account authenticator [1] and user impersonation [2]. 1. https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens 2. https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation Signed-off-by: Massimiliano Giovagnoli <[email protected]> Co-authored-by: Dario Tranchitella <[email protected]>
- Loading branch information