open-cluster-management-io · openshift-merge-bot · Nov 13, 2025 · Nov 12, 2025
diff --git a/charts/cluster-proxy/templates/clusterrole.yaml b/charts/cluster-proxy/templates/clusterrole.yaml
@@ -167,6 +167,7 @@ rules:
   # Allow cluster-proxy to do impersonation
   # Needs to create a clusterrole for the addon-agent to create tokenreview to hub
   # Although hub side doesn't need to create token view, it still requires the tokenreview create permission
+  {{- if .Values.enableImpersonation }}
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
@@ -184,3 +185,4 @@ rules:
       - tokenreviews
     verbs:
       - create
+  {{- end }}
diff --git a/charts/cluster-proxy/templates/managedproxyconfiguration.yaml b/charts/cluster-proxy/templates/managedproxyconfiguration.yaml
@@ -28,3 +28,5 @@ spec:
   proxyAgent:
     image: {{ .Values.proxyAgentImage }}:{{ .Values.tag | default (print "v" .Chart.Version) }}
     replicas: {{ .Values.replicas }}
+    additionalValues:
+      enableImpersonation: {{ .Values.enableImpersonation | quote }}
diff --git a/charts/cluster-proxy/values.yaml b/charts/cluster-proxy/values.yaml
@@ -33,3 +33,4 @@ enableKubeApiProxy: true
 # Note: Other required secrets (proxy-server-ca, proxy-client) will be created automatically by the controller.
 # Without cluster-proxy-user-serving-cert, the user-server deployment will remain in Pending state.
 enableServiceProxy: false
+enableImpersonation: true
diff --git a/pkg/proxyagent/agent/agent.go b/pkg/proxyagent/agent/agent.go
@@ -313,7 +313,7 @@ func GetClusterProxyValueFunc(
 		}
 		agentIdentifiers := strings.Join(aids, "&")
 
-		return map[string]interface{}{
+		values := map[string]interface{}{
 			"agentDeploymentName":        "cluster-proxy-proxy-agent",
 			"serviceDomain":              serviceDomain,
 			"includeNamespaceCreation":   true,
@@ -337,7 +337,20 @@ func GetClusterProxyValueFunc(
 			"servicesToExpose":            servicesToExpose,
 			"enableKubeApiProxy":          enableKubeApiProxy,
 			"addtionalServiceCAConfigMap": proxyConfig.Spec.ProxyAgent.AdditionalValues["addtionalServiceCAConfigMap"],
-		}, nil
+		}
+
+		if enableImpersonationStr := proxyConfig.Spec.ProxyAgent.AdditionalValues["enableImpersonation"]; enableImpersonationStr != "" {
+			// Validate the boolean string to prevent invalid values that would cause deployment failure
+			// Valid values: "true", "false", "1", "0" (as accepted by Go's flag.BoolVar)
+			if enableImpersonationStr == "true" || enableImpersonationStr == "false" ||
+				enableImpersonationStr == "1" || enableImpersonationStr == "0" {
+				values["enableImpersonation"] = enableImpersonationStr
+			} else {
+				return nil, fmt.Errorf("invalid value for enableImpersonation: %q, must be one of: true, false, 1, 0", enableImpersonationStr)
+			}
+		}
+
+		return values, nil
 	}
 }
 

diff --git a/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-clusterrole.yaml b/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-clusterrole.yaml
@@ -3,7 +3,7 @@ kind: ClusterRole
 metadata:
   name: cluster-proxy-addon-agent-impersonator
 rules:
-{{- if ne (toString .Values.impersonatePermissionEnabled) "false" }}
+{{- if .Values.enableImpersonation }}
 - apiGroups: [""]
   resources: ["users", "groups", "serviceaccounts"]
   verbs: ["impersonate"]

diff --git a/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml b/pkg/proxyagent/agent/manifests/charts/addon-agent/templates/addon-agent-deployment.yaml
@@ -154,6 +154,7 @@ spec:
           {{- if .Values.addtionalServiceCAConfigMap }}
             - --additional-service-ca=/additional-service-ca/service-ca.crt
           {{- end }}
+            - --enable-impersonation={{ .Values.enableImpersonation }}
             - --cert=/server-cert/tls.crt
             - --key=/server-cert/tls.key
             - --hub-kubeconfig=/etc/kubeconfig/kubeconfig

diff --git a/pkg/proxyagent/agent/manifests/charts/addon-agent/values.yaml b/pkg/proxyagent/agent/manifests/charts/addon-agent/values.yaml
@@ -46,7 +46,7 @@ proxyConfig:
   HTTPS_PROXY: null
   NO_PROXY: null
 
-impersonatePermissionEnabled: "true"
+enableImpersonation: "true"
 
 global:
   resourceRequirements: []
diff --git a/pkg/serviceproxy/service_proxy.go b/pkg/serviceproxy/service_proxy.go
@@ -54,6 +54,8 @@ type serviceProxy struct {
 	hubKubeConfig            string
 	hubKubeClient            kubernetes.Interface
 	managedClusterKubeClient kubernetes.Interface
+
+	enableImpersonation bool
 }
 
 func newServiceProxy() *serviceProxy {
@@ -75,6 +77,7 @@ func (s *serviceProxy) AddFlags(cmd *cobra.Command) {
 	flags.DurationVar(&s.idleConnTimeout, "idle-conn-timeout", 90*time.Second, "The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.")
 	flags.DurationVar(&s.tLSHandshakeTimeout, "tls-handshake-timeout", 10*time.Second, "The maximum amount of time waiting to wait for a TLS handshake.")
 	flags.DurationVar(&s.expectContinueTimeout, "expect-continue-timeout", 1*time.Second, "The amount of time to wait for a server's first response headers after fully writing the request headers if the request has an \"Expect: 100-continue\" header.")
+	flags.BoolVar(&s.enableImpersonation, "enable-impersonation", true, "Whether to enable impersonation")
 }
 
 func (s *serviceProxy) Run(ctx context.Context) error {
@@ -179,10 +182,12 @@ func (s *serviceProxy) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
 	}
 
 	if url.Host == "kubernetes.default.svc" {
-		if err := s.processAuthentication(req); err != nil {
-			klog.ErrorS(err, "authentication failed")
-			http.Error(wr, err.Error(), http.StatusUnauthorized)
-			return
+		if s.enableImpersonation {
+			if err := s.processAuthentication(req); err != nil {
+				klog.ErrorS(err, "authentication failed")
+				http.Error(wr, err.Error(), http.StatusUnauthorized)
+				return
+			}
 		}
 	}