User impersonation in Kubernetes

I’m writing this blog post to remember how easily you can impersonate your requests to Kubernetes. Before that I was recreating my KUBECONFIG with impersonated credentials, now you can pass as flags to kubectl or k9s:

$ kubectl options
...
      --as='': Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
      --as-group=[]: Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
      --as-uid='': UID to impersonate for the operation.
...

Under the hood, kubectl is using client-go which provides ImpersonationConfig it is being translated in REST client into dedicated HTTP headers ie. Impersonate-User. Using impersonation you need to have enough permission, you can also define which resource names you can impersonate. More info about it.

comments powered by Disqus
#kubernetes #kubectl #k9s #user-impersonation

powered by Hugo and Noteworthy theme