From 8d3a498c879aab30d90d3429ffd364c3c7afe9de Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Thu, 16 Mar 2023 11:14:29 +0100
Subject: [PATCH] don't ignore UID impersonation in webhook clients

---
 .../pkg/util/webhook/authentication.go        |  1 +
 .../pkg/util/webhook/authentication_test.go   | 24 +++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
index a69506de690..95e4060bd11 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication.go
@@ -243,6 +243,7 @@ func restConfigFromKubeconfig(configAuthInfo *clientcmdapi.AuthInfo) (*rest.Conf
 	if len(configAuthInfo.Impersonate) > 0 {
 		config.Impersonate = rest.ImpersonationConfig{
 			UserName: configAuthInfo.Impersonate,
+			UID:      configAuthInfo.ImpersonateUID,
 			Groups:   configAuthInfo.ImpersonateGroups,
 			Extra:    configAuthInfo.ImpersonateUserExtra,
 		}
diff --git a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go
index d92268578c0..bdac3a49f82 100644
--- a/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/util/webhook/authentication_test.go
@@ -64,6 +64,30 @@ func TestAuthenticationDetection(t *testing.T) {
 			},
 			expected: rest.Config{BearerToken: "foo"},
 		},
+		{
+			name:       "match with impersonation",
+			serverName: "foo.com",
+			kubeconfig: clientcmdapi.Config{
+				AuthInfos: map[string]*clientcmdapi.AuthInfo{
+					"foo.com": {
+						Token:                "foo",
+						Impersonate:          "user-a",
+						ImpersonateUID:       "user-a-uid-1111",
+						ImpersonateGroups:    []string{"user-a-group1", "user-a-group2"},
+						ImpersonateUserExtra: map[string][]string{"foo": {"bar", "baz", "etc"}},
+					},
+				},
+			},
+			expected: rest.Config{
+				BearerToken: "foo",
+				Impersonate: rest.ImpersonationConfig{
+					UserName: "user-a",
+					UID:      "user-a-uid-1111",
+					Groups:   []string{"user-a-group1", "user-a-group2"},
+					Extra:    map[string][]string{"foo": {"bar", "baz", "etc"}},
+				},
+			},
+		},
 		{
 			name:       "partial star match",
 			serverName: "foo.com",