impersonation proxy: add RBAC to impersonate user extra and SAs

Signed-off-by: Monis Khan <mok@vmware.com>
2021-03-25 17:09:29 -04:00 · 2021-03-25 17:09:29 -04:00 · 2179c2879a
commit 2179c2879a
parent b6e217e13a
1 changed files with 4 additions and 1 deletions
--- a/deploy/concierge/rbac.yaml
+++ b/deploy/concierge/rbac.yaml
@ -32,7 +32,10 @@ rules:
    verbs: [ use ]
    resourceNames: [ nonroot ]
  - apiGroups: [ "" ]
-    resources: [ "users", "groups" ]
+    resources: [ "users", "groups", "serviceaccounts" ]
    verbs: [ "impersonate" ]
  - apiGroups: [ "authentication.k8s.io" ]
    resources: [ "*" ]  #! What we really want is userextras/* but the RBAC authorizer only supports */subresource, not resource/*
    verbs: [ "impersonate" ]
  - apiGroups: [ "" ]
    resources: [ nodes ]