@@ -148,6 +148,8 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
148148
149149 subProtocol := ""
150150 proxiedHeader := make (http.Header , len (r .Header ))
151+ hasImpersonateUser := false
152+
151153 for key , value := range r .Header {
152154 if key != "Sec-Websocket-Protocol" {
153155 // Do not proxy the subprotocol to the API server because k8s does not understand what we're sending
@@ -169,6 +171,7 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
169171 return
170172 }
171173 proxiedHeader .Set ("Impersonate-User" , decodedProtocol )
174+ hasImpersonateUser = true
172175 subProtocol = protocol
173176 } else if strings .HasPrefix (protocol , "Impersonate-Group." ) {
174177 encodedProtocol := strings .TrimPrefix (protocol , "Impersonate-Group." )
@@ -178,8 +181,12 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
178181 http .Error (w , errMsg , http .StatusBadRequest )
179182 return
180183 }
181- proxiedHeader .Set ("Impersonate-User" , string (decodedProtocol ))
182- proxiedHeader .Set ("Impersonate-Group" , string (decodedProtocol ))
184+ // If we haven't set Impersonate-User yet, this is single-group impersonation (backward compatibility)
185+ if ! hasImpersonateUser {
186+ proxiedHeader .Set ("Impersonate-User" , string (decodedProtocol ))
187+ }
188+ // Add each group as a separate Impersonate-Group header
189+ proxiedHeader .Add ("Impersonate-Group" , string (decodedProtocol ))
183190 subProtocol = protocol
184191 } else {
185192 proxiedHeader .Set ("Sec-Websocket-Protocol" , protocol )
@@ -189,6 +196,11 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
189196 }
190197 }
191198
199+ // Add system:authenticated when impersonating groups
200+ if len (proxiedHeader ["Impersonate-Group" ]) > 0 {
201+ proxiedHeader .Add ("Impersonate-Group" , "system:authenticated" )
202+ }
203+
192204 // Filter websocket headers.
193205 websocketHeaders := []string {
194206 "Connection" ,
0 commit comments