v3.4 to 3.5¶
Breaking Changes¶
Behavioral Improvements / Fixes¶
Impersonation extended to server operations¶
When impersonation is enabled, it now applies to all API server operations, not just sync operations. This means that actions triggered through the UI or API (viewing logs, listing events, deleting resources, running resource actions, etc.) will use the impersonated service account derived from the AppProject's destinationServiceAccounts configuration.
Previously, impersonation only applied to sync operations.
Affected operations and required permissions:
| Operation | Kubernetes API call | Required RBAC verbs |
|---|---|---|
| Get resource | GET on the target resource |
get |
| Patch resource | PATCH on the target resource |
get, patch |
| Delete resource | DELETE on the target resource |
delete |
| List resource events | LIST on events (core/v1) |
list |
| View pod logs | GET on pods and pods/log |
get |
| Run resource action | GET, CREATE, PATCH on the target resource |
get, create, patch |
This list covers built-in operations. Custom resource actions may require additional permissions depending on what Kubernetes API calls they make.
Users with impersonation enabled must ensure the service accounts configured in destinationServiceAccounts have permissions for these operations.
No action is required for users who do not have impersonation enabled.