From 2ec0f781ab4db17b6c1db39ac95a3bab225f2d68 Mon Sep 17 00:00:00 2001
From: Christoph Mewes <christoph@kubermatic.com>
Date: Wed, 13 Nov 2024 14:50:45 +0100
Subject: [PATCH] include cluster name in authz SubjectAccessReview in webhooks

On-behalf-of: @SAP christoph.mewes@sap.com
---
 .../apiserver/plugin/pkg/authorizer/webhook/webhook.go   | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
index f70cce6e15c4a..eb20596e6dac2 100644
--- a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
+++ b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
@@ -41,6 +41,7 @@ import (
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	authorizationcel "k8s.io/apiserver/pkg/authorization/cel"
+	"k8s.io/apiserver/pkg/endpoints/request"
 	genericfeatures "k8s.io/apiserver/pkg/features"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/apiserver/pkg/util/webhook"
@@ -196,6 +197,14 @@ func (w *WebhookAuthorizer) Authorize(ctx context.Context, attr authorizer.Attri
 		}
 	}
 
+	clusterName, err := request.ClusterNameFrom(ctx)
+	if err == nil {
+		if r.Spec.Extra == nil {
+			r.Spec.Extra = map[string]authorizationv1.ExtraValue{}
+		}
+		r.Spec.Extra["authentication.kubernetes.io/cluster-name"] = authorizationv1.ExtraValue{clusterName.Path().String()}
+	}
+
 	if attr.IsResourceRequest() {
 		r.Spec.ResourceAttributes = resourceAttributesFrom(attr)
 	} else {