I would like a cluster role or a service role to be able to impersonate a role in a different.
I have tried both
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2023-05-10T23:52:33Z"
name: example-impersonator
resourceVersion: "1627"
uid: 34e413ca-f733-4198-99af-7b442a764a21
rules:
- apiGroups:
- ""
resourceNames:
- system:serviceaccount:example-namespace:example-role
resources:
- users
verbs:
- impersonate
and
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2023-05-10T23:52:33Z"
name: example-impersonator
resourceVersion: "1627"
uid: 34e413ca-f733-4198-99af-7b442a764a21
rules:
- apiGroups:
- ""
resourceNames:
- example-namespace:example-role
resources:
- serviceaccount
verbs:
- impersonate
and a few other combination, but when running
kubectl auth can-i impersonate users/system:serviceaccount:example-namespace:example-role --as=default:test (I have bounded above policy to a different service account test, in default namespace), I am getting no