Epic Goal

When you work with users in ACM and do some CNV related actions it is not clear
on the Managed-Cluster-Side what user did something as we just control permissions on a Service-Account.

This Epic is to implement a way to get this user info also on the Managed-Cluster

"We are thinking that our cluster-proxy could be enhanced to enforce the impersonation when proxying a request to the managed cluster."

...

Why is this important?

because you cannot audit users on Managed-Clusters (ACM could claim this is not designed as you control all operations via Hub)

The DDR related to this Epic: https://docs.google.com/document/d/1drh1_fZX586_9Gf4-0Z2DnVTYeAF8aLmyjyNBCkxiTM/edit?tab=t.0 

Scenarios

Execute a CRUD or Get operation via the reverse proxy, and 

1. Validate against the ACM Hub OIDC
2. Impersonate that user on the hub, and apply local RBAC (RoleBindings & Roles)

Acceptance Criteria

Log shows impersonated user

RBAC is enforced on the impersonated user

Dependencies (internal and external)

1. ClusterPermissions are present
2. OIDC or auth for the user on the HUB is in place

Previous Work (Optional):

1. ClusterPermissions
2. ReverseProxy

Open questions:

1. Create an Act-As Kubernetes Enhancement Proposal 

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
  Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub
  Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Doc issue opened with a completed template. Separate doc issue
  opened for any deprecation, removal, or any current known
  issue/troubleshooting removal from the doc, if applicable.