How to make impersonate work with kubernetes go-client

I'm looking for a way to run kubectl auth can-i get pods --as system:serviceaccount:default:test using kubernetes go-client.

So far I got the below code but it doesn't work as I'm getting a different response in comparison to kubectl auth can-i. I know this is about impersonation and so I'm adding rest.ImpersonationConfig but it's still not working.

Steps to reproduce:

kind create cluster
kubectl create sa test
kubectl create role test --verb=get --verb=list --resource=pods
kubectl create rolebinding test --role=test --serviceaccount=default:test

kubectl auth can-i get pod --as system:serviceaccount:default:test
# yes


package main

import (

    authv1 ""
    metav1 ""

func main() {

    kubeconfig := fmt.Sprintf("%s/.kube/config", os.Getenv("HOME"))
    config, err := clientcmd.BuildConfigFromFlags("", kubeconfig)
    if err != nil {

    config.Impersonate = rest.ImpersonationConfig{
        UserName: "system:serviceaccount:default:test",

    clientset, err := kubernetes.NewForConfig(config)
    if err != nil {

    action := authv1.ResourceAttributes{
        Namespace: "default",
        Verb:      "get",
        Resource:  "pod",

    selfCheck := authv1.SelfSubjectAccessReview{
        Spec: authv1.SelfSubjectAccessReviewSpec{
            ResourceAttributes: &action,

    resp, err := clientset.AuthorizationV1().
        Create(context.TODO(), &selfCheck, metav1.CreateOptions{})

    if err != nil {

    if resp.Status.Allowed {
    } else {

Read more here:

Content Attribution

This content was originally published by danielinclouds at Recent Questions - Stack Overflow, and is syndicated here via their RSS feed. You can read the original post over there.

%d bloggers like this: