include cluster name in authz SubjectAccessReview in webhooks

On-behalf-of: @SAP [email protected]
kcp-dev · Nov 13, 2024 · 2ec0f78 · 2ec0f78
1 parent ab5c3a6
commit 2ec0f78
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	authorizationcel "k8s.io/apiserver/pkg/authorization/cel"
+	"k8s.io/apiserver/pkg/endpoints/request"
 	genericfeatures "k8s.io/apiserver/pkg/features"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/pkg/util/webhook"
@@ -196,6 +197,14 @@ func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attri
 		}
 	}
 
+	clusterName, err := request.ClusterNameFrom(ctx)
+	if err == nil {
+		if r.Spec.Extra == nil {
+			r.Spec.Extra = map[string]authorizationv1.ExtraValue{}
+		}
+		r.Spec.Extra["authentication.kubernetes.io/cluster-name"] = authorizationv1.ExtraValue{clusterName.Path().String()}
+	}
+
 	if attr.IsResourceRequest() {
 		r.Spec.ResourceAttributes = resourceAttributesFrom(attr)
 	} else {