From addf632e7c463ebebad48b23ffd5e24ae1c49568 Mon Sep 17 00:00:00 2001
From: Monis Khan <i@monis.app>
Date: Fri, 11 Jun 2021 13:56:11 -0400
Subject: [PATCH] impersonator: add docs regarding limited serivce account

Signed-off-by: Monis Khan <mok@vmware.com>
---
 internal/concierge/impersonator/doc.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/concierge/impersonator/doc.go b/internal/concierge/impersonator/doc.go
index 3ca70d69..af91e2d3 100644
--- a/internal/concierge/impersonator/doc.go
+++ b/internal/concierge/impersonator/doc.go
@@ -11,7 +11,9 @@ The specifics of how it is implemented are of interest.  The most novel detail
 about the implementation is that we use the "front-end" of the aggregated API
 server logic, mainly the DefaultBuildHandlerChain func, to handle how incoming
 requests are authenticated, authorized, etc.  The "back-end" of the proxy is a
-reverse proxy that impersonates the user (instead of serving REST APIs).
+reverse proxy that impersonates the user (instead of serving REST APIs).  Since
+impersonation fails open, we impersonate users via a secondary service account
+that has no other permissions on the cluster.
 
 In terms of authentication, we aim to handle every type of authentication that
 the Kubernetes API server supports by delegating most of the checks to it.  We