Kubernetes Impersonation via the Kubeconfig
Colin J. Ihrig
I recently added user impersonation to the Kubernetes client for Node.js. When this feature was requested, I went looking for some official documentation. Apparently, I was not the only one. Unfortunately, that issue only links to the Kubeconfig schema reference, and not any actual examples. So, I decided to write up something short and simple. For additional information, see the official impersonation docs.
In your Kubeconfig, you can configure user impersonation as shown below:
apiVersion: v1
#
# ... Additional configuration.
#
users:
- name: minikube
user:
# The `as` field is the username to impersonate.
# This is similar to `kubectl --as=impersonated-user`
# There are similar `as-uid`, `as-groups`, and `as-user-extra-map` fields.
as: impersonated-user
client-certificate: .../client.crt
client-key: .../client.key
You can verify that impersonation is working properly by running kubectl auth whoami
. The following example shows calls before and after configuring impersonation.
$ kubectl auth whoami
ATTRIBUTE VALUE
Username minikube-user
Groups [system:masters system:authenticated]
$ kubectl auth whoami
ATTRIBUTE VALUE
Username impersonated-user
Groups [system:authenticated]
This is essentially the same as the following sequence of commands that configure impersonation using kubectl
flags:
$ kubectl auth whoami
ATTRIBUTE VALUE
Username minikube-user
Groups [system:masters system:authenticated]
$ kubectl auth whoami --as=impersonated-user
ATTRIBUTE VALUE
Username impersonated-user
Groups [system:authenticated]