in cmd/gke-identity-service-migrator/main.go [542:559]
func (r *subjectRecognizer) MigrateSubject(subIn rbacv1.Subject) rbacv1.Subject {
if name, ok := r.GetFederatedUser(subIn); ok {
return rbacv1.Subject{
APIGroup: "rbac.authorization.k8s.io",
Kind: "User",
Name: fmt.Sprintf("principal://iam.googleapis.com/locations/global/workforcePools/%s/subject/%s", r.workforcePoolName, name),
}
} else if name, ok := r.GetFederatedGroup(subIn); ok {
return rbacv1.Subject{
APIGroup: "rbac.authorization.k8s.io",
Kind: "Group",
Name: fmt.Sprintf("principalSet://iam.googleapis.com/locations/global/workforcePools/%s/group/%s", r.workforcePoolName, name),
}
} else {
// Non-federated subjects are copied over as-is.
return subIn
}
}