feat: add the ability to perform writing actions as the actual actor rather than the mighty serviceaccount

Author: aaronschweig

cmd/start.go

@@ -46,6 +46,8 @@ var startCmd = &cobra.Command{
 			panic("no cache sync")
 		}
 
+		cfg.Wrap(gateway.NewImpersonationTransport)
+
 		cl, err := client.NewWithWatch(cfg, client.Options{
 			Scheme: schema,
 			Cache: &client.CacheOptions{

gateway/gateway.go

@@ -19,6 +19,8 @@ import (
 	"golang.org/x/text/language"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/client-go/transport"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -585,3 +587,38 @@ func Handler(conf HandlerConfig) http.Handler {
 func AddUserToContext(ctx context.Context, user string) context.Context {
 	return context.WithValue(ctx, userContextKey{}, user)
 }
+
+func GetUserFromContext(ctx context.Context) (string, bool) {
+	user, ok := ctx.Value(userContextKey{}).(string)
+	return user, ok
+}
+
+type impersonation struct {
+	delegate http.RoundTripper
+}
+
+func (i *impersonation) RoundTrip(req *http.Request) (*http.Response, error) {
+
+	// use the user header as marker for the rest.
+	if len(req.Header.Get(transport.ImpersonateUserHeader)) != 0 {
+		return i.delegate.RoundTrip(req)
+	}
+
+	user, ok := GetUserFromContext(req.Context())
+	if !ok || user == "" {
+		return i.delegate.RoundTrip(req)
+	}
+
+	slog.Debug("impersonating request", "user", user)
+
+	fmt.Println("impersonating", user)
+
+	req = utilnet.CloneRequest(req)
+	req.Header.Set(transport.ImpersonateUserHeader, user)
+
+	return i.delegate.RoundTrip(req)
+}
+
+func NewImpersonationTransport(rt http.RoundTripper) http.RoundTripper {
+	return &impersonation{delegate: rt}
+}

gateway/resolver.go

@@ -69,19 +69,8 @@ func (r *resolver) listItems(crd apiextensionsv1.CustomResourceDefinition, typeI
 			opts = append(opts, client.MatchingLabelsSelector{Selector: selector})
 		}
 
-		ras := authzv1.ResourceAttributes{
-			Verb:     "list",
-			Group:    crd.Spec.Group,
-			Version:  typeInformation.Name,
-			Resource: crd.Spec.Names.Plural,
-		}
 		if namespace, ok := p.Args["namespace"].(string); ok && namespace != "" {
 			opts = append(opts, client.InNamespace(namespace))
-			ras.Namespace = namespace
-		}
-
-		if err := isAuthorized(ctx, r.conf.Client, ras); err != nil {
-			return nil, err
 		}
 
 		err := r.conf.Client.List(ctx, list, opts...)
@@ -181,17 +170,6 @@ func (r *resolver) deleteItem(crd apiextensionsv1.CustomResourceDefinition, type
 		ctx, span := otel.Tracer("").Start(p.Context, "Delete", trace.WithAttributes(attribute.String("kind", crd.Spec.Names.Kind)))
 		defer span.End()
 
-		if err := isAuthorized(ctx, r.conf.Client, authzv1.ResourceAttributes{
-			Verb:      "delete",
-			Group:     crd.Spec.Group,
-			Version:   typeInformation.Name,
-			Resource:  crd.Spec.Names.Plural,
-			Namespace: p.Args["namespace"].(string),
-			Name:      p.Args["name"].(string),
-		}); err != nil {
-			return nil, err
-		}
-
 		us := &unstructured.Unstructured{}
 		us.SetGroupVersionKind(schema.GroupVersionKind{
 			Group:   crd.Spec.Group,
@@ -226,16 +204,6 @@ func (r *resolver) createItem(crd apiextensionsv1.CustomResourceDefinition, type
 
 		logger = logger.With(slog.Group("metadata", slog.String("name", metadatInput.Name), slog.String("namespace", metadatInput.Namespace)))
 
-		if err := isAuthorized(ctx, r.conf.Client, authzv1.ResourceAttributes{
-			Verb:      "create",
-			Group:     crd.Spec.Group,
-			Version:   typeInformation.Name,
-			Resource:  crd.Spec.Names.Plural,
-			Namespace: metadatInput.Namespace,
-		}); err != nil {
-			return nil, err
-		}
-
 		us := &unstructured.Unstructured{}
 		us.SetGroupVersionKind(schema.GroupVersionKind{
 			Group:   crd.Spec.Group,
@@ -287,17 +255,6 @@ func (r *resolver) updateItem(crd apiextensionsv1.CustomResourceDefinition, type
 
 		logger = logger.With(slog.Group("metadata", slog.String("name", metadatInput.Name), slog.String("namespace", metadatInput.Namespace)))
 
-		if err := isAuthorized(ctx, r.conf.Client, authzv1.ResourceAttributes{
-			Verb:      "update",
-			Group:     crd.Spec.Group,
-			Version:   typeInformation.Name,
-			Resource:  crd.Spec.Names.Plural,
-			Namespace: metadatInput.Namespace,
-			Name:      metadatInput.Name,
-		}); err != nil {
-			return nil, err
-		}
-
 		us := &unstructured.Unstructured{}
 		us.SetGroupVersionKind(schema.GroupVersionKind{
 			Group:   crd.Spec.Group,

go.mod

@@ -15,6 +15,7 @@ require (
 	k8s.io/api v0.30.1
 	k8s.io/apiextensions-apiserver v0.30.1
 	k8s.io/apimachinery v0.30.1
+	k8s.io/client-go v0.30.1
 	sigs.k8s.io/controller-runtime v0.18.3
 )
 
@@ -74,7 +75,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/client-go v0.30.1 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240430033511-f0e62f92d13f // indirect
 	k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect