config: support username impersonation

cjihrig · cjihrig · commit 531daad79557 · 2025-04-15T21:45:10.000-04:00
This commit adds support for username impersonation. This does not implement group, UID, or extra impersonation. Refs: #2355
diff --git a/src/config.ts b/src/config.ts
@@ -582,6 +582,11 @@ export class KubeConfig implements SecurityAuthentication {
         if (key) {
             opts.key = key;
         }
+
+        if (user.impersonateUser != null) {
+            opts.headers ??= {};
+            opts.headers['Impersonate-User'] = user.impersonateUser;
+        }
     }
 
     private async applyAuthorizationHeader(
diff --git a/src/config_test.ts b/src/config_test.ts
@@ -643,6 +643,23 @@ describe('KubeConfig', () => {
             strictEqual(username, users[0].username);
             strictEqual(name, users[0].name);
         });
+        it('should load impersonation information', () => {
+            const users = newUsers([
+                {
+                    name: 'some-name-1',
+                    as: 'impersonated-user',
+                    user: {},
+                },
+                {
+                    name: 'some-name-2',
+                    user: {},
+                },
+            ]);
+            strictEqual('some-name-1', users[0].name);
+            strictEqual('impersonated-user', users[0].impersonateUser);
+            strictEqual('some-name-2', users[1].name);
+            strictEqual(undefined, users[1].impersonateUser);
+        });
     });
 
     describe('findHome', () => {
@@ -1787,4 +1804,25 @@ describe('KubeConfig', () => {
             strictEqual(opts.headers!.Authorization, 'Bearer test-token');
         });
     });
+
+    describe('Impersonation', () => {
+        it('injects Impersonate-User header', async () => {
+            const kc = new KubeConfig();
+            const cluster: Cluster = {
+                name: 'test-cluster',
+                server: 'https://localhost:6443',
+                skipTLSVerify: false,
+            };
+            const user: User = {
+                name: 'test-user',
+                authProvider: 'custom',
+                impersonateUser: 'impersonate-user',
+            };
+
+            kc.loadFromClusterAndUser(cluster, user);
+            const opts: RequestOptions = {};
+            await kc.applyToHTTPSOptions(opts);
+            strictEqual(opts.headers!['Impersonate-User'], 'impersonate-user');
+        });
+    });
 });
diff --git a/src/config_types.ts b/src/config_types.ts
@@ -97,6 +97,7 @@ export interface User {
     readonly token?: string;
     readonly username?: string;
     readonly password?: string;
+    readonly impersonateUser?: string;
 }
 
 export function newUsers(a: any, opts?: Partial<ConfigOptions>): User[] {
@@ -112,6 +113,7 @@ export function newUsers(a: any, opts?: Partial<ConfigOptions>): User[] {
 export function exportUser(user: User): any {
     return {
         name: user.name,
+        as: user.impersonateUser,
         user: {
             'auth-provider': user.authProvider,
             'client-certificate-data': user.certData,
@@ -143,6 +145,7 @@ function userIterator(onInvalidEntry: ActionOnInvalid): (elt: any, i: number, li
                 token: findToken(elt.user),
                 password: elt.user ? elt.user.password : null,
                 username: elt.user ? elt.user.username : null,
+                impersonateUser: elt.as,
             };
         } catch (err) {
             switch (onInvalidEntry) {

Original file line number	Diff line number	Diff line change
`@@ -582,6 +582,11 @@ export class KubeConfig implements SecurityAuthentication {`
`582`	`582`	`if (key) {`
`583`	`583`	`opts.key = key;`
`584`	`584`	`}`
	`585`	`+`
	`586`	`+ if (user.impersonateUser != null) {`
	`587`	`+ opts.headers ??= {};`
	`588`	`+ opts.headers['Impersonate-User'] = user.impersonateUser;`
	`589`	`+ }`
`585`	`590`	`}`
`586`	`591`
`587`	`592`	`private async applyAuthorizationHeader(`