From c84c1b52af1bf7697cdb8d80d30df358318ad52a Mon Sep 17 00:00:00 2001
From: Darren Shepherd <darren@rancher.com>
Date: Wed, 21 Oct 2020 22:39:34 -0700
Subject: [PATCH] Fix impersonating serviceaccounts for podimpersonation

---
 pkg/podimpersonation/podimpersonation.go | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/pkg/podimpersonation/podimpersonation.go b/pkg/podimpersonation/podimpersonation.go
index c08fdef..40463f0 100644
--- a/pkg/podimpersonation/podimpersonation.go
+++ b/pkg/podimpersonation/podimpersonation.go
@@ -3,6 +3,7 @@ package podimpersonation
 import (
 	"context"
 	"fmt"
+	"strings"
 	"sync"
 	"time"
 
@@ -186,6 +187,21 @@ func (s *PodImpersonation) createRole(ctx context.Context, user user.Info, names
 		return nil, err
 	}
 
+	rule := rbacv1.PolicyRule{
+		Verbs:         []string{"impersonate"},
+		APIGroups:     []string{""},
+		Resources:     []string{"users"},
+		ResourceNames: []string{user.GetName()},
+	}
+
+	if strings.HasPrefix(user.GetName(), "system:serviceaccount:") {
+		rule = rbacv1.PolicyRule{
+			Verbs:     []string{"impersonate"},
+			APIGroups: []string{""},
+			Resources: []string{"serviceaccounts"},
+		}
+	}
+
 	return client.RbacV1().ClusterRoles().Create(ctx, &rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: "pod-impersonation-" + s.key + "-",
@@ -194,12 +210,7 @@ func (s *PodImpersonation) createRole(ctx context.Context, user user.Info, names
 			},
 		},
 		Rules: []rbacv1.PolicyRule{
-			{
-				Verbs:         []string{"impersonate"},
-				APIGroups:     []string{""},
-				Resources:     []string{"users"},
-				ResourceNames: []string{user.GetName()},
-			},
+			rule,
 			{
 				Verbs:         []string{"impersonate"},
 				APIGroups:     []string{""},