Adjust deep SAR for SA

[mjudeikis]

Summary

fix: strip scopes from ServiceAccount tokens in maximal permission policy check

What Type of PR Is This?

/kind bug
Fix 403 Forbidden when ServiceAccount accesses claimed resources via APIExport virtual workspace
Strip scope-related Extra fields only for ServiceAccounts in maximal permission policy authorizer
Add e2e test to prevent regression

When an APIExport includes a permissionClaim on resources from another APIExport (e.g., tenancy.kcp.io/workspaces), and a consumer accepts that claim in an APIBinding, the provider's ServiceAccount receives a 403 Forbidden when accessing the claimed resources via the APIExport virtual workspace—even though it has proper apiexports/content RBAC.

Root Cause

ServiceAccount tokens are scoped to their originating workspace (e.g., cluster:root:org:provider). When accessing claimed resources, the maximal permission policy check runs in the workspace where the claimed APIExport lives (e.g., root for tenancy.kcp.io). The deep SubjectAccessReview fails because the SA token's scope doesn't include the target workspace.

Solution

Strip scope-related Extra fields (authentication.kcp.io/scopes and authentication.kcp.io/cluster-name) from ServiceAccounts only in prefixAttributes() before running the maximal permission policy check.

This is safe because:

• BoundAPIAuthorizer already verified the request targets a valid bound resource
• APIExportsContentAuthorizer already verified apiexports/content permission in the provider workspace
• MaximalPermissionAuthorizer checks what the claimed APIExport allows—scope mismatch is a false negative here
• Regular users are intentionally not affected—their scopes are preserved. This is the expected behavior since users may have scopes set via impersonation for security reasons.

Related Issue(s)

Fixes #3840

Release Notes

Strip scopes from ServiceAccount tokens in maximal permission policy check

[kcp-ci-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign xrstf for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mjudeikis]

This is early, want to see how much of things breaks

[mjudeikis]

/retest

[kcp-ci-bot]

@mjudeikis: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kcp-test-e2e-sharded	3f3d1e8	link	true	/test pull-kcp-test-e2e-sharded

Full PR test history

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.