Fix console impersonation (#90)

The console started checking with the following `SelfSubjectAccessReview`: ``` { "kind": "SelfSubjectAccessReview", "apiVersion": "authorization.k8s.io/v1", "metadata": { "creationTimestamp": null, }, "spec": { "resourceAttributes": { "verb": "impersonate", "group": "authorization.k8s.io", "resource": "users", "name": "cluster-admin" } }, "status": { "allowed": false } } ``` Both users.authorization.k8s.io and `users` seem to be correct to receive impersonation rights in the API server.
appuio · Jan 22, 2024 · 803451e · 803451e
1 parent e67bf2f
commit 803451e
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 1 deletion.
diff --git a/component/rbac.libsonnet b/component/rbac.libsonnet
@@ -30,7 +30,7 @@ local sudoGroupSubjects = std.map(
 
 local sudoClusterRole = kube.ClusterRole('sudo-impersonator') {
   rules: [ {
-    apiGroups: [ '' ],
+    apiGroups: [ '', 'authorization.k8s.io' ],
     resources: [ 'users', 'serviceaccounts', 'groups' ],
     verbs: [ 'impersonate' ],
   }, {

diff --git a/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml b/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml
@@ -8,6 +8,7 @@ metadata:
 rules:
   - apiGroups:
       - ''
+      - authorization.k8s.io
     resources:
       - users
       - serviceaccounts

diff --git a/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml b/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml
@@ -8,6 +8,7 @@ metadata:
 rules:
   - apiGroups:
       - ''
+      - authorization.k8s.io
     resources:
       - users
       - serviceaccounts