From 803451eb392bf310aeafdbe84b9fb7376150da9d Mon Sep 17 00:00:00 2001
From: Sebastian Widmer <widmer.sebastian@gmail.com>
Date: Mon, 22 Jan 2024 10:51:39 +0100
Subject: [PATCH] Fix console impersonation (#90)

The console started checking with the following `SelfSubjectAccessReview`:

```
{
  "kind": "SelfSubjectAccessReview",
  "apiVersion": "authorization.k8s.io/v1",
  "metadata": {
    "creationTimestamp": null,
  },
  "spec": {
    "resourceAttributes": {
      "verb": "impersonate",
      "group": "authorization.k8s.io",
      "resource": "users",
      "name": "cluster-admin"
    }
  },
  "status": {
    "allowed": false
  }
}
```

Both users.authorization.k8s.io and `users` seem to be correct to receive impersonation rights in the API server.
---
 component/rbac.libsonnet                                        | 2 +-
 .../openshift4-authentication/30_rbac.yaml                      | 1 +
 .../openshift4-authentication/30_rbac.yaml                      | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/component/rbac.libsonnet b/component/rbac.libsonnet
index 134b6a3..5c2a3bf 100644
--- a/component/rbac.libsonnet
+++ b/component/rbac.libsonnet
@@ -30,7 +30,7 @@ local sudoGroupSubjects = std.map(
 
 local sudoClusterRole = kube.ClusterRole('sudo-impersonator') {
   rules: [ {
-    apiGroups: [ '' ],
+    apiGroups: [ '', 'authorization.k8s.io' ],
     resources: [ 'users', 'serviceaccounts', 'groups' ],
     verbs: [ 'impersonate' ],
   }, {
diff --git a/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml b/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml
index c37b238..2c50a0a 100644
--- a/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml
+++ b/tests/golden/defaults/openshift4-authentication/openshift4-authentication/30_rbac.yaml
@@ -8,6 +8,7 @@ metadata:
 rules:
   - apiGroups:
       - ''
+      - authorization.k8s.io
     resources:
       - users
       - serviceaccounts
diff --git a/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml b/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml
index 53e12df..a93db8f 100644
--- a/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml
+++ b/tests/golden/no-ldap/openshift4-authentication/openshift4-authentication/30_rbac.yaml
@@ -8,6 +8,7 @@ metadata:
 rules:
   - apiGroups:
       - ''
+      - authorization.k8s.io
     resources:
       - users
       - serviceaccounts