From 0f4fd1fde6cbb90999a979dce173c8880d8ef82b Mon Sep 17 00:00:00 2001
From: Tom Lebreux <tom.lebreux@suse.com>
Date: Mon, 10 Mar 2025 13:35:01 -0400
Subject: [PATCH] Fix not finding ClusterRoleBinding or RoleBinding for service
 accounts (#539)

---
 pkg/accesscontrol/policy_rule_index.go      | 4 ++--
 pkg/accesscontrol/policy_rule_index_test.go | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/accesscontrol/policy_rule_index.go b/pkg/accesscontrol/policy_rule_index.go
index 3294f921..0eae10ec 100644
--- a/pkg/accesscontrol/policy_rule_index.go
+++ b/pkg/accesscontrol/policy_rule_index.go
@@ -1,12 +1,12 @@
 package accesscontrol
 
 import (
-	"fmt"
 	"sort"
 
 	rbacv1controllers "github.com/rancher/wrangler/v3/pkg/generated/controllers/rbac/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 )
 
 const (
@@ -72,7 +72,7 @@ func indexSubjects(kind string, subjects []rbacv1.Subject) []string {
 			result = append(result, subject.Name)
 		} else if kind == userKind && subjectIsServiceAccount(subject) {
 			// Index is for Users and this references a service account
-			result = append(result, fmt.Sprintf("serviceaccount:%s:%s", subject.Namespace, subject.Name))
+			result = append(result, serviceaccount.MakeUsername(subject.Namespace, subject.Name))
 		}
 	}
 	return result
diff --git a/pkg/accesscontrol/policy_rule_index_test.go b/pkg/accesscontrol/policy_rule_index_test.go
index 8a68dfe7..4eeec4df 100644
--- a/pkg/accesscontrol/policy_rule_index_test.go
+++ b/pkg/accesscontrol/policy_rule_index_test.go
@@ -56,7 +56,7 @@ func Test_policyRuleIndex_roleBindingBySubject(t *testing.T) {
 					Namespace: "testns",
 				},
 			}),
-			want: []string{"serviceaccount:testns:mysvcaccount"},
+			want: []string{"system:serviceaccount:testns:mysvcaccount"},
 		},
 		{
 			name: "ignores svcaccounts in group mode",
@@ -166,7 +166,7 @@ func Test_policyRuleIndex_clusterRoleBindingBySubject(t *testing.T) {
 					Namespace: "testns",
 				},
 			}),
-			want: []string{"serviceaccount:testns:mysvcaccount"},
+			want: []string{"system:serviceaccount:testns:mysvcaccount"},
 		},
 		{
 			name: "ignores svcaccounts in group mode",