diff --git a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go index a69506de690..95e4060bd11 100644 --- a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go +++ b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go @@ -243,6 +243,7 @@ func restConfigFromKubeconfig(configAuthInfo *clientcmdapi.AuthInfo) (*rest.Conf if len(configAuthInfo.Impersonate) > 0 { config.Impersonate = rest.ImpersonationConfig{ UserName: configAuthInfo.Impersonate, + UID: configAuthInfo.ImpersonateUID, Groups: configAuthInfo.ImpersonateGroups, Extra: configAuthInfo.ImpersonateUserExtra, } diff --git a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go index d92268578c0..bdac3a49f82 100644 --- a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go +++ b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go @@ -64,6 +64,30 @@ func TestAuthenticationDetection(t *testing.T) { }, expected: rest.Config{BearerToken: "foo"}, }, + { + name: "match with impersonation", + serverName: "foo.com", + kubeconfig: clientcmdapi.Config{ + AuthInfos: map[string]*clientcmdapi.AuthInfo{ + "foo.com": { + Token: "foo", + Impersonate: "user-a", + ImpersonateUID: "user-a-uid-1111", + ImpersonateGroups: []string{"user-a-group1", "user-a-group2"}, + ImpersonateUserExtra: map[string][]string{"foo": {"bar", "baz", "etc"}}, + }, + }, + }, + expected: rest.Config{ + BearerToken: "foo", + Impersonate: rest.ImpersonationConfig{ + UserName: "user-a", + UID: "user-a-uid-1111", + Groups: []string{"user-a-group1", "user-a-group2"}, + Extra: map[string][]string{"foo": {"bar", "baz", "etc"}}, + }, + }, + }, { name: "partial star match", serverName: "foo.com",