config: support username impersonation

cjihrig · cjihrig · commit 77812b9646ff · 2025-04-15T21:41:04.000-04:00
This commit adds support for username impersonation. This does not implement group, UID, or extra impersonation. Refs: #2355
diff --git a/src/config.ts b/src/config.ts
@@ -582,6 +582,11 @@ export class KubeConfig implements SecurityAuthentication {
         if (key) {
             opts.key = key;
         }
+
+        if (user.impersonateUser != null) {
+            opts.headers ??= {};
+            opts.headers['Impersonate-User'] = user.impersonateUser;
+        }
     }
 
     private async applyAuthorizationHeader(
diff --git a/src/config_test.ts b/src/config_test.ts
@@ -642,6 +642,20 @@ describe('KubeConfig', () => {
             strictEqual(password, users[0].password);
             strictEqual(username, users[0].username);
             strictEqual(name, users[0].name);
+            strictEqual(undefined, users[0].impersonateUser);
+        });
+        it('should load impersonation information', () => {
+            const name = 'some-name';
+            const as = 'impersonated-user';
+            const users = newUsers([
+                {
+                    name,
+                    as: 'impersonated-user',
+                    user: {},
+                },
+            ]);
+            strictEqual(name, users[0].name);
+            strictEqual(as, users[0].impersonateUser);
         });
     });
 
@@ -1787,4 +1801,25 @@ describe('KubeConfig', () => {
             strictEqual(opts.headers!.Authorization, 'Bearer test-token');
         });
     });
+
+    describe('Impersonation', () => {
+        it('injects Impersonate-User header', async () => {
+            const kc = new KubeConfig();
+            const cluster: Cluster = {
+                name: 'test-cluster',
+                server: 'https://localhost:6443',
+                skipTLSVerify: false,
+            };
+            const user: User = {
+                name: 'test-user',
+                authProvider: 'custom',
+                impersonateUser: 'impersonate-user',
+            };
+
+            kc.loadFromClusterAndUser(cluster, user);
+            const opts: RequestOptions = {};
+            await kc.applyToHTTPSOptions(opts);
+            strictEqual(opts.headers!['Impersonate-User'], 'impersonate-user');
+        });
+    });
 });
diff --git a/src/config_types.ts b/src/config_types.ts
@@ -97,6 +97,7 @@ export interface User {
     readonly token?: string;
     readonly username?: string;
     readonly password?: string;
+    readonly impersonateUser?: string;
 }
 
 export function newUsers(a: any, opts?: Partial<ConfigOptions>): User[] {
@@ -112,6 +113,7 @@ export function newUsers(a: any, opts?: Partial<ConfigOptions>): User[] {
 export function exportUser(user: User): any {
     return {
         name: user.name,
+        as: user.impersonateUser,
         user: {
             'auth-provider': user.authProvider,
             'client-certificate-data': user.certData,
@@ -143,6 +145,7 @@ function userIterator(onInvalidEntry: ActionOnInvalid): (elt: any, i: number, li
                 token: findToken(elt.user),
                 password: elt.user ? elt.user.password : null,
                 username: elt.user ? elt.user.username : null,
+                impersonateUser: elt.as,
             };
         } catch (err) {
             switch (onInvalidEntry) {

Original file line number	Diff line number	Diff line change
`@@ -582,6 +582,11 @@ export class KubeConfig implements SecurityAuthentication {`
`582`	`582`	`if (key) {`
`583`	`583`	`opts.key = key;`
`584`	`584`	`}`
	`585`	`+`
	`586`	`+ if (user.impersonateUser != null) {`
	`587`	`+ opts.headers ??= {};`
	`588`	`+ opts.headers['Impersonate-User'] = user.impersonateUser;`
	`589`	`+ }`
`585`	`590`	`}`
`586`	`591`
`587`	`592`	`private async applyAuthorizationHeader(`