Impersonation on web console needs additional permissions

[naved001]

A user who is bound to the clusterrole sudoer can impersonate the user system:admin from the command line without any problems, however, the option to impersonate is grayed out on the openshift web console.

A workaround is to add these additional permissions to the sudoer role:

- apiGroups:
  - authorization.k8s.io
  resources:
  - '*'
  verbs:
  - impersonate

This works, but for some reason if I explicitly list out all resources that would fall under that apiGroups then it doesn't work. So, with something like this, it doesn't work.

- apiGroups:
  - authorization.k8s.io
  resources:
  - localsubjectaccessreviews
  - selfsubjectaccessreviews
  - selfsubjectrulesreviews
  - subjectaccessreviews
  - clusterrolebindings
  - clusterroles
  - rolebindings
  - roles
  verbs:
  - impersonate

As far as I can tell those are the only resources under that apiGroup

naved@computer moc-infra-config %       oc api-resources |grep 'authorization.k8s.io'
localsubjectaccessreviews                                                                                                    authorization.k8s.io/v1                       true         LocalSubjectAccessReview
selfsubjectaccessreviews                                                                                                     authorization.k8s.io/v1                       false        SelfSubjectAccessReview
selfsubjectrulesreviews                                                                                                      authorization.k8s.io/v1                       false        SelfSubjectRulesReview
subjectaccessreviews                                                                                                         authorization.k8s.io/v1                       false        SubjectAccessReview
clusterrolebindings                                                                                                          rbac.authorization.k8s.io/v1                  false        ClusterRoleBinding
clusterroles                                                                                                                 rbac.authorization.k8s.io/v1                  false        ClusterRole
rolebindings                                                                                                                 rbac.authorization.k8s.io/v1                  true         RoleBinding
roles                                                                                                                        rbac.authorization.k8s.io/v1                  true         Role

[larsks]

Do you have a copy of the error message you get when trying to impersonate without these permissions? The explicit list may be failing because the access attempt is on a subresource. E.g., like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    nerc.mghpcc.org/aggregate-to-nerc-ops: "true"
  name: nerc-ops-pod-exec
rules:
  - apiGroups:
      - ""
    resources:
      - pods/exec
    verbs:
      - create

Here, we're granting permission to the pods/exec subresource.

[naved001]

Do you have a copy of the error message you get when trying to impersonate without these permissions?

The web console doesn't print any error, the impersonate button is just grayed out.