Merge pull request #36769 from deads2k/auth-03-fix-impersonation

Automatic merge from submit-queue clear impersonation headers If you clone a request that came in after impersonation, you were also cloning the impersonation headers that came with it. These seem roughly analogous to the `Authorization` header, so this clears them. @kubernetes/sig-auth
2025-07-30 15:05:27 +00:00 · 2016-12-01 04:52:09 -08:00 · 2016-12-01 04:52:09 -08:00 · d00696a0d8
commit d00696a0d8
parent 2fab199390 e69d0d84a4
1 changed files with 9 additions and 0 deletions
--- a/pkg/apiserver/filters/impersonation.go
+++ b/pkg/apiserver/filters/impersonation.go
@ -123,6 +123,15 @@ func WithImpersonation(handler http.Handler, requestContextMapper api.RequestCon
 		oldUser, _ := api.UserFrom(ctx)
 		httplog.LogOf(req, w).Addf("%v is acting as %v", oldUser, newUser)

+		// clear all the impersonation headers from the request
+		req.Header.Del(authenticationapi.ImpersonateUserHeader)
+		req.Header.Del(authenticationapi.ImpersonateGroupHeader)
+		for headerName := range req.Header {
+			if strings.HasPrefix(headerName, authenticationapi.ImpersonateUserExtraHeaderPrefix) {
+				req.Header.Del(headerName)
+			}
+		}
+
 		handler.ServeHTTP(w, req)
 	})
 }