UPSTREAM: <squash>: authz: add warrants to default rule resolver: global service account

Signed-off-by: Dr. Stefan Schimanski <[email protected]>

Author: sttts

pkg/registry/rbac/validation/kcp.go

@@ -2,6 +2,7 @@ package validation
 
 import (
 	"context"
+	"fmt"
 	"strings"
 
 	"github.com/kcp-dev/logicalcluster/v3"
@@ -69,6 +70,20 @@ func withWarrants(appliesToUser appliesToUserFuncCtx) appliesToUserFuncCtx {
 			return true
 		}
 
+		if IsServiceAccount(u) {
+			if cluster := genericapirequest.ClusterFrom(ctx); cluster != nil && cluster.Name != "" {
+				nsNameSuffix := strings.TrimPrefix(u.GetName(), "system:serviceaccount:")
+				rewritten := &user.DefaultInfo{
+					Name:   fmt.Sprintf("system:kcp:serviceaccount:%s:%s", cluster.Name, nsNameSuffix),
+					Groups: []string{user.AllAuthenticated},
+					Extra:  u.GetExtra(),
+				}
+				if appliesToUser(ctx, rewritten, bindingSubject, namespace) {
+					return true
+				}
+			}
+		}
+
 		for _, v := range u.GetExtra()[WarrantExtraKey] {
 			var w Warrant
 			if err := json.Unmarshal([]byte(v), &w); err != nil {

pkg/registry/rbac/validation/kcp_test.go

@@ -358,6 +358,18 @@ func TestAppliesToUserWithWarrantsAndScopes(t *testing.T) {
 			sub:  rbacv1.Subject{Kind: "ServiceAccount", Namespace: "ns", Name: "sa"},
 			want: false,
 		},
+		{
+			name: "service account with cluster as global kcp service account",
+			user: &user.DefaultInfo{Name: "system:serviceaccount:ns:sa", Extra: map[string][]string{"authentication.kubernetes.io/cluster-name": {"this"}}},
+			sub:  rbacv1.Subject{Kind: "User", Name: "system:kcp:serviceaccount:this:ns:sa"},
+			want: true,
+		},
+		{
+			name: "service account with scope as global kcp service account",
+			user: &user.DefaultInfo{Name: "system:serviceaccount:ns:sa", Extra: map[string][]string{"authentication.kcp.io/scopes": {"cluster:this"}}},
+			sub:  rbacv1.Subject{Kind: "User", Name: "system:kcp:serviceaccount:this:ns:sa"},
+			want: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {