Configuring Impersonation without OpenUnison
The OpenUnison operator automated a couple of key steps to get impersonation working. There are other projects designed specifically for Kubernetes, such as JetStack's OIDC Proxy (https://github.com/jetstack/kube-oidc-proxy), that are designed to make using impersonation easier. You can use any reverse proxy that can generate the correct headers. There are two critical items to understand when doing this on your own.
Impersonation RBAC policies
RBAC will be covered in the next chapter, but for now, the correct policy to authorize a service account for impersonation is as follows:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata:   name: impersonator rules: - apiGroups:   - ""   resources:   - users   - groups   verbs:   - impersonate
To constrain what accounts can be impersonated, add resourceNames
to your rule.