Support nested impersonation
Release notes
Problem to solve
#327849 (closed), #327412 (closed), and #327410 use impersonation HTTP headers to impersonate an identity, as configured by an agent owner. Agent user may want to impersonate an identity on top of that but Kubernetes does not support "nested" impersonation.
Proposal
We could work this limitation around:
- Reverse-proxy the request to the agent as-is (kas->agent).
- Agent detects the situation.
- Agent checks that it is allowed to impersonate the identity that it is configured to impersonate (identity
X
) viaSelfSubjectAccessReview
API call. - Agent checks that the identity
X
is allowed to impersonate the identity the user wants to use - it is specified via HTTP headers (identityY
).SubjectAccessReview
API call can be used for that. - If agent is allowed to impersonate
X
andX
is allowed to impersonateY
, impersonateY
rather thanX
.
Edited by Mikhail Mazurskiy