Add extra field when doing SubjectAccessReview (#265)

jinjiaKarl · web-flow · commit 51d0812eabdb · 2026-04-10T16:33:23.000-04:00
Pass UserInfo.Extra fields when constructing the SubjectAccessReview for
the requesting user in the WorkerResourceTemplate validating webhook.

Previously, the webhook only forwarded User and Groups to the SAR spec.
This omitted the Extra field, which cloud providers like GKE use to
carry IAM identity information (e.g. iam.gke.io/user-assertion). Without
it, the SAR could not evaluate permissions granted via GKE IAM or GCP
group membership, only direct RBAC bindings to a specific username were
recognized.

deployed to one GKE cluster, people with GKE IAM Admin permission can
create/update/delete WorkerResourceTemplate resource without granting
Kubernetes built-in RBAC bindings
diff --git a/api/v1alpha1/workerresourcetemplate_webhook.go b/api/v1alpha1/workerresourcetemplate_webhook.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"strings"
 
+	authenticationv1 "k8s.io/api/authentication/v1"
 	authorizationv1 "k8s.io/api/authorization/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
@@ -390,6 +391,19 @@ func isEmptyMap(v interface{}) bool {
 	return ok && len(m) == 0
 }
 
+// convertUserInfoExtra converts an authentication ExtraValue map to an authorization ExtraValue map.
+// Both types are []string under the hood; the conversion preserves all values exactly.
+func convertUserInfoExtra(extra map[string]authenticationv1.ExtraValue) map[string]authorizationv1.ExtraValue {
+	if len(extra) == 0 {
+		return nil
+	}
+	out := make(map[string]authorizationv1.ExtraValue, len(extra))
+	for k, v := range extra {
+		out[k] = authorizationv1.ExtraValue(v)
+	}
+	return out
+}
+
 // validateWithAPI performs API-dependent validation: RESTMapper scope check and
 // SubjectAccessReview for both the requesting user and the controller service account.
 // verb is the RBAC verb to check ("create" on create/update, "delete" on delete).
@@ -456,6 +470,11 @@ func (v *WorkerResourceTemplateValidator) validateWithAPI(ctx context.Context, w
 			Spec: authorizationv1.SubjectAccessReviewSpec{
 				User:   req.UserInfo.Username,
 				Groups: req.UserInfo.Groups,
+				// Some authentication plugins like GKE's IAM plugin rely on certain fields being
+				// present in the UserInfo.Extra field, so here we make sure to copy any extra
+				// field values from the authentication request into the extra field of the
+				// authorization review.
+				Extra: convertUserInfoExtra(req.UserInfo.Extra),
 				ResourceAttributes: &authorizationv1.ResourceAttributes{
 					Namespace: wrt.Namespace,
 					Verb:      verb,
