From 0f4833c8502f1c76b8b02631b9775bcb30ed0ae4 Mon Sep 17 00:00:00 2001 From: Arnob Kumar Saha Date: Tue, 30 Jun 2026 16:24:58 +0600 Subject: [PATCH] Strip reserved authentication.kubernetes.io extras before impersonation Copying user.GetExtra() verbatim into the impersonation config also copies server-injected reserved extras (e.g. authentication.kubernetes.io/credential-id added for X509/SA auth on k8s >=1.30). Impersonating those needs a dedicated userextras RBAC verb that kube-ui-server does not hold, causing a forbidden error on EditorModel reads. These extras carry no authorization identity, so drop the authentication.kubernetes.io/ prefixed keys before impersonating. Signed-off-by: Arnob Kumar Saha --- pkg/registry/editor/editormodel/storage.go | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/pkg/registry/editor/editormodel/storage.go b/pkg/registry/editor/editormodel/storage.go index bddbaf8f1b..824381be00 100644 --- a/pkg/registry/editor/editormodel/storage.go +++ b/pkg/registry/editor/editormodel/storage.go @@ -85,11 +85,29 @@ func (r *Storage) callerClient(ctx context.Context) (client.Client, error) { UserName: user.GetName(), UID: user.GetUID(), Groups: user.GetGroups(), - Extra: user.GetExtra(), + Extra: impersonableExtra(user.GetExtra()), } return client.New(cfg, client.Options{Scheme: r.scheme, Mapper: r.mapper}) } +// impersonableExtra drops the reserved authentication.kubernetes.io/* extras +// (e.g. credential-id added for X509/SA auth on k8s >=1.30). These are injected +// by the apiserver and impersonating them needs a dedicated userextras RBAC verb +// that kube-ui-server does not hold; they carry no authorization identity. +func impersonableExtra(in map[string][]string) map[string][]string { + if len(in) == 0 { + return nil + } + out := make(map[string][]string, len(in)) + for k, v := range in { + if strings.HasPrefix(k, "authentication.kubernetes.io/") { + continue + } + out[k] = v + } + return out +} + // Create reconstructs the editor model for an existing installation from the // chart values supplied in the request. The caller (b3) is responsible for the // slow parts -- pulling the chart (getChart) and creating the AppRelease if