What is the proper way to allow impersonating a single service account in k8s via RBAC?

General Discussions
,
1

I would like a cluster role or a service role to be able to impersonate a role in a different.

I have tried both

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2023-05-10T23:52:33Z"
  name: example-impersonator
  resourceVersion: "1627"
  uid: 34e413ca-f733-4198-99af-7b442a764a21
rules:
- apiGroups:
  - ""
  resourceNames:
  - system:serviceaccount:example-namespace:example-role
  resources:
  - users
  verbs:
  - impersonate

and

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2023-05-10T23:52:33Z"
  name: example-impersonator
  resourceVersion: "1627"
  uid: 34e413ca-f733-4198-99af-7b442a764a21
rules:
- apiGroups:
  - ""
  resourceNames:
  - example-namespace:example-role
  resources:
  - serviceaccount
  verbs:
  - impersonate

and a few other combination, but when running

kubectl auth can-i impersonate users/system:serviceaccount:example-namespace:example-role --as=default:test (I have bounded above policy to a different service account test, in default namespace), I am getting no

2

Hello, implementing the sudo functionality is a three steps process:

  1. Create a virtual identity:
apiVersion : rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: sudo
roleRef :
 apiGroup : rbac.authorization.k8s.io
 kind: ClusterRole
 name: cluster-admin
subjects:
- apiGroup : rbac.authorization.k8s.io
  kind: User
  name: sudo
  1. Create a cluster/role allowing impersonation:
apiVersion : rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: sudo
rules:
- apiGroups: [""]
  resourceNames:
  - sudo
  resources:
  - users
  verbs:
  - impersonate
  1. Create a clusterrole/rolebinding to allow selected users impersonate “sudo” virtual user:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sudoer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: sudo
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: davidp