Merge pull request #1188 from XiShanYongYe-Chang/ignore-some-group-with-impersonate

Ignore auto-generated user groups when proxy request

pkg/registry/cluster/storage/proxy.go

@@ -11,6 +11,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/proxy"
+	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
 	"k8s.io/apiserver/pkg/endpoints/request"
 	genericregistry "k8s.io/apiserver/pkg/registry/generic/registry"
@@ -101,7 +102,9 @@ func newProxyHandler(location *url.URL, transport http.RoundTripper, impersonate
 		}
 		req.Header.Set(authenticationv1.ImpersonateUserHeader, requester.GetName())
 		for _, group := range requester.GetGroups() {
-			req.Header.Add(authenticationv1.ImpersonateGroupHeader, group)
+			if !skipGroup(group) {
+				req.Header.Add(authenticationv1.ImpersonateGroupHeader, group)
+			}
 		}
 
 		req.Header.Set("Authorization", fmt.Sprintf("bearer %s", impersonateToken))
@@ -111,6 +114,15 @@ func newProxyHandler(location *url.URL, transport http.RoundTripper, impersonate
 	}), nil
 }
 
+func skipGroup(group string) bool {
+	switch group {
+	case user.AllAuthenticated, user.AllUnauthenticated:
+		return true
+	default:
+		return false
+	}
+}
+
 func newThrottledUpgradeAwareProxyHandler(location *url.URL, transport http.RoundTripper, wrapTransport, upgradeRequired bool, responder rest.Responder) *proxy.UpgradeAwareHandler {
 	handler := proxy.NewUpgradeAwareHandler(location, transport, wrapTransport, upgradeRequired, proxy.NewErrorResponder(responder))
 	return handler