Kubernetes Impersonation via the Kubeconfig

Colin J. Ihrig

I recently added user impersonation to the Kubernetes client for Node.js. When this feature was requested, I went looking for some official documentation. Apparently, I was not the only one. Unfortunately, that issue only links to the Kubeconfig schema reference, and not any actual examples. So, I decided to write up something short and simple. For additional information, see the official impersonation docs.

In your Kubeconfig, you can configure user impersonation as shown below:

apiVersion: v1
#
# ... Additional configuration.
#
users:
- name: minikube
  user:
    # The `as` field is the username to impersonate.
    # This is similar to `kubectl --as=impersonated-user`
    # There are similar `as-uid`, `as-groups`, and `as-user-extra-map` fields.
    as: impersonated-user
    client-certificate: .../client.crt
    client-key: .../client.key

You can verify that impersonation is working properly by running kubectl auth whoami. The following example shows calls before and after configuring impersonation.

$ kubectl auth whoami
ATTRIBUTE   VALUE
Username    minikube-user
Groups      [system:masters system:authenticated]

$ kubectl auth whoami
ATTRIBUTE   VALUE
Username    impersonated-user
Groups      [system:authenticated]

This is essentially the same as the following sequence of commands that configure impersonation using kubectl flags:

$ kubectl auth whoami
ATTRIBUTE   VALUE
Username    minikube-user
Groups      [system:masters system:authenticated]

$ kubectl auth whoami --as=impersonated-user
ATTRIBUTE   VALUE
Username    impersonated-user
Groups      [system:authenticated]