Skip to content

Strip reserved authentication.kubernetes.io extras before impersonation#434

Merged
ArnobKumarSaha merged 1 commit into
masterfrom
arnob-imp-extra
Jun 30, 2026
Merged

Strip reserved authentication.kubernetes.io extras before impersonation#434
ArnobKumarSaha merged 1 commit into
masterfrom
arnob-imp-extra

Conversation

@ArnobKumarSaha

Copy link
Copy Markdown
Member

Problem

EditorModel reads fail with:

userextras.authentication.k8s.io "X509SHA256=..." is forbidden: User "system:serviceaccount:kubeops:kube-ui-server" cannot impersonate resource "userextras/authentication.kubernetes.io/credential-id" in API group "authentication.k8s.io" at the cluster scope

callerClient copies user.GetExtra() verbatim into the impersonation config. On k8s >=1.30, the apiserver injects reserved extras (e.g. authentication.kubernetes.io/credential-id for X509 / SA-token auth). Impersonating those requires a dedicated userextras/... impersonate RBAC verb that kube-ui-server does not hold, so the request is rejected.

Fix

Drop authentication.kubernetes.io/-prefixed keys before building the impersonation config. These are server-injected and carry no authorization identity (RBAC binds on user/group), so stripping them does not change the impersonated client's effective permissions. ace.appscode.com/org-id and other extras are preserved.

Note

kmodules.xyz/client-go/client/delegated.go::Impersonate (used by pkg/graph) has the same pattern and will need the same fix upstream + re-vendor.

Copying user.GetExtra() verbatim into the impersonation config also copies
server-injected reserved extras (e.g. authentication.kubernetes.io/credential-id
added for X509/SA auth on k8s >=1.30). Impersonating those needs a dedicated
userextras RBAC verb that kube-ui-server does not hold, causing a forbidden
error on EditorModel reads. These extras carry no authorization identity, so
drop the authentication.kubernetes.io/ prefixed keys before impersonating.

Signed-off-by: Arnob Kumar Saha <arnob@appscode.com>
@ArnobKumarSaha ArnobKumarSaha merged commit 0e5d41f into master Jun 30, 2026
4 checks passed
@ArnobKumarSaha ArnobKumarSaha deleted the arnob-imp-extra branch June 30, 2026 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant