Merge pull request #102 from Somefive/feat/always-impersonate

Feat: add ClientIdentityPenetration flag

Author: Somefive

pkg/apis/cluster/v1alpha1/clustergateway_proxy.go

@@ -24,7 +24,10 @@ import (
 	"strings"
 	"time"
 
+	utilfeature "k8s.io/apiserver/pkg/util/feature"
+
 	"github.com/oam-dev/cluster-gateway/pkg/config"
+	"github.com/oam-dev/cluster-gateway/pkg/featuregates"
 	"github.com/oam-dev/cluster-gateway/pkg/metrics"
 
 	"github.com/pkg/errors"
@@ -216,7 +219,7 @@ func (p *proxyHandler) ServeHTTP(writer http.ResponseWriter, request *http.Reque
 		responsewriters.InternalError(writer, request, errors.Wrapf(err, "failed creating cluster proxy client config %s", cluster.Name))
 		return
 	}
-	if p.impersonate {
+	if p.impersonate || utilfeature.DefaultFeatureGate.Enabled(featuregates.ClientIdentityPenetration) {
 		cfg.Impersonate = getImpersonationConfig(request)
 	}
 	rt, err := restclient.TransportFor(cfg)

pkg/featuregates/featue_gate.go

@@ -31,9 +31,17 @@ const (
 	// SecretCache runs a namespaced secret informer inside the apiserver which
 	// provides a cache for reading secret data.
 	SecretCache featuregate.Feature = "SecretCache"
+
+	// owner: @somefive
+	// alpha: v1.4.0
+	//
+	// ClientIdentityPenetration enforce impersonate as the original request user
+	// when accessing apiserver in ManagedCluster
+	ClientIdentityPenetration featuregate.Feature = "ClientIdentityPenetration"
 )
 
 var DefaultKubeFedFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
-	HealthinessCheck: {Default: false, PreRelease: featuregate.Alpha},
-	SecretCache:      {Default: true, PreRelease: featuregate.Beta},
+	HealthinessCheck:          {Default: false, PreRelease: featuregate.Alpha},
+	SecretCache:               {Default: true, PreRelease: featuregate.Beta},
+	ClientIdentityPenetration: {Default: false, PreRelease: featuregate.Alpha},
 }