From 2179c2879ab2ddf8a28eda2c8a7bdec89e04c564 Mon Sep 17 00:00:00 2001 From: Monis Khan Date: Thu, 25 Mar 2021 17:09:29 -0400 Subject: [PATCH] impersonation proxy: add RBAC to impersonate user extra and SAs Signed-off-by: Monis Khan --- deploy/concierge/rbac.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deploy/concierge/rbac.yaml b/deploy/concierge/rbac.yaml index 3f881731..6370d380 100644 --- a/deploy/concierge/rbac.yaml +++ b/deploy/concierge/rbac.yaml @@ -32,7 +32,10 @@ rules: verbs: [ use ] resourceNames: [ nonroot ] - apiGroups: [ "" ] - resources: [ "users", "groups" ] + resources: [ "users", "groups", "serviceaccounts" ] + verbs: [ "impersonate" ] + - apiGroups: [ "authentication.k8s.io" ] + resources: [ "*" ] #! What we really want is userextras/* but the RBAC authorizer only supports */subresource, not resource/* verbs: [ "impersonate" ] - apiGroups: [ "" ] resources: [ nodes ]